HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42462Published Modified CNA GitHub_M

CVE-2026-42462: Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a cryptographic signature bypass affecting Fedify, a TypeScript library for building ActivityPub-powered federated server applications. An attacker who has received a signed ActivityPub activity can exploit JSON-LD named-graph restructuring to alter the document's semantic meaning without invalidating its Linked Data Signature, allowing tampered activities to pass signature verification. Successful exploitation enables an attacker to forge or modify federated activities (such as posts, follows, or deletes) that appear to carry a legitimate third-party signature, enabling content tampering and limited information manipulation. No fix versions are currently published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle the Fedify library. Any image whose dependency tree includes an affected version of fedify-dev/fedify is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.0 (HIGH) and weights it against each environment's configured compliance policy to determine urgency and routing. Triage tickets are routed to the team inbox designated in each customer org's notification settings, so the finding reaches the right owner without manual sorting.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears in the upstream package registry. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point, without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Fedify-powered service over the network to deliver or relay a manipulated ActivityPub activity.

  • AuthenticationNot required

    No account or credential is needed; the attack targets the signature-verification layer of the ActivityPub federation protocol, which accepts unsigned or externally signed input from any network peer.

  • Victim interactionNot required

    No user action is required; the vulnerable parsing and verification logic executes automatically when the server processes an incoming federated activity.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must understand JSON-LD named-graph semantics well enough to craft a restructured document that changes Fedify's interpretation while preserving the original signature digest.

Blast Radius

  • The attacker causes Fedify to accept and process a federated activity whose semantic content differs from what the original signer authorized, enabling unauthorized content modification across federated instances.
  • Integrity of federated objects (posts, follow relationships, delete requests) is compromised because the verified signature no longer corresponds to the data Fedify actually acts on.
  • Limited information disclosure is possible if the restructured activity causes the server to surface or relay data in an unintended context.
  • Availability is marginally impacted, consistent with the CVSS A:L rating, for example through processing errors or state corruption triggered by malformed restructured activities.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42462, the platform monitors the advisory on every ingest cycle and will make a patched-image rebuild available immediately when fedify-dev/fedify ships a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict which remote ActivityPub servers can deliver activities to the Fedify endpoint (reducing the attacker's ability to deliver crafted payloads), egress filtering to limit unsolicited federation peers, and application-level validation layers that re-canonicalize incoming JSON-LD documents before signature verification. HarborGuard will surface a policy alert to environments running any affected version range (>= 1.10.0 < 1.10.10, >= 2.0.0 < 2.0.18, >= 2.1.0 < 2.1.14, >= 2.2.0 < 2.2.3) until a fix version is confirmed available upstream.

See how HarborGuard automates this
Affected packages
  • fedify-dev / fedify
    >= 2.2.0, < 2.2.3 · >= 2.1.0, < 2.1.14 · >= 2.0.0, < 2.0.18 · >= 1.10.0, < 1.10.10 · < 1.9.11
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
References