Denial of Service Vulnerability in Fedify by Fedify Dev
CVE-2026-34148

7.5HIGH

Key Information:

Vendor: @fedify
Status: Fedify; Vocab-runtime
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34148?

The Fedify library, utilized for federated server applications based on ActivityPub, is susceptible to a significant vulnerability that allows an attacker to exploit recursive HTTP redirects within its remote document loader and authenticated document loader. This flaw enables malicious control over server requests, allowing them to issue repeated outbound requests without a safeguard for maximum redirects or detection of URL loops. As a result, this could lead to excessive resource consumption on the server, culminating in potential denial of service. The vulnerability was rectified in versions 1.9.6, 1.10.5, 2.0.8, and 2.1.1.

Affected Version(s)

fedify < 1.9.6 < 1.9.6

fedify >= 1.10.0, < 1.10.5 < 1.10.0, 1.10.5

fedify >= 2.0.0, < 2.0.8 < 2.0.0, 2.0.8

References

https://github.com/fedify-dev/fedify/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34148 Data

JSON

@fedify

What is CVE-2026-34148?

Affected Version(s)

References

CVSS V3.1

Timeline