Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
CVE-2026-42462

7HIGH

Key Information:

Vendor: Fedify-dev
Status: Fedify
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-42462?

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.

Affected Version(s)

fedify >= 2.2.0, < 2.2.3 < 2.2.0, 2.2.3

fedify >= 2.1.0, < 2.1.14 < 2.1.0, 2.1.14

fedify >= 2.0.0, < 2.0.18 < 2.0.0, 2.0.18

References

https://github.com/fedify-dev/fedify/security/advisories/...

x_refsource_CONFIRM

https://github.com/fedify-dev/fedify/releases/tag/2.2.3

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42462 Data

JSON

Fedify-dev

What is CVE-2026-42462?

Affected Version(s)

References

CVSS V3.1

Timeline