YesWiki Unauthenticated ActivityPub Signature-Verification Bypass (CVE-2026-52767)
A critical vulnerability, CVE-2026-52767, in YesWiki's `HttpSignatureService::verifySignature()` allows unauthenticated attackers to bypass ActivityPub signature verification due to a loose boolean negation (`!openssl_verify(...)`) accepting `int(-1)` from PHP's `openssl_verify()` under specific conditions, enabling arbitrary Create, Update, and Delete operations on ActivityPub-enabled forms leading to defacement and content manipulation.
A critical vulnerability (CVE-2026-52767) has been identified in YesWiki versions 4.6.2 through 4.6.5, specifically within the HttpSignatureService::verifySignature() method. The flaw stems from a loose boolean negation check (!openssl_verify(...)) that incorrectly interprets a -1 return value from PHP's openssl_verify() function as a successful verification. This bypass is triggered when specific conditions are met, such as using a DSA or EC public key with an RSA-only algorithm (e.g., "RSA-SHA256") on PHP 8.3 with OpenSSL 3.x. An attacker can leverage this to perform unauthenticated Create, Update, and Delete (CRUD) operations on any ActivityPub-enabled YesWiki form. This vulnerability allows for malicious content injection, defacement, spam, SEO poisoning, and data manipulation, posing a significant risk to the integrity and reputation of affected YesWiki instances.
Attack Chain
- An attacker establishes a public web server to host a malicious ActivityPub actor document containing a DSA public key.
- The attacker crafts a
Create,Update, orDeleteActivityPub request targeting the YesWiki instance'sPOST /api/forms/{enabled-form-id}/actor/inboxendpoint. - The malicious request includes a
Signatureheader specifyingalgorithm="RSA-SHA256"and points to the attacker-controlled actor document via thekeyIdparameter. - YesWiki's
HttpSignatureService::verifySignature()fetches the attacker's actor document and attempts to verify the signature using PHP'sopenssl_verify()with the DSA public key and the "RSA-SHA256" algorithm. - Due to the incompatibility between the DSA key and the specified "RSA-SHA256" algorithm on PHP 8.3 + OpenSSL 3.x,
openssl_verify()returnsint(-1). - YesWiki's application logic then processes
!openssl_verify(...), which evaluates tofalsebecause!(-1)isfalsein PHP's truthiness rules, effectively bypassing the signature verification check. - The attacker easily satisfies the
Digestheader enforcement by calculating a SHA-256 hash of their malicious payload. - YesWiki proceeds to execute the
processActivity()method, leading to unauthorizedCreate,Update, orDeleteoperations on the targeted ActivityPub-enabled forms.
Impact
The successful exploitation of CVE-2026-52767 allows for unauthenticated CRUD operations on bazar entries of any ActivityPub-enabled YesWiki form. This can result in widespread defacement and content injection across public-facing wikis, including potential spam and SEO poisoning through manipulated entry bodies which are HTML-rendered and indexed by search engines. Attackers can also erase legitimate federated content by discovering object.id values via public outbox endpoints and then issuing Delete activities. Furthermore, the vulnerability can lead to triple-store pollution in the yeswiki_triples table with attacker-controlled sourceUrl entries, which can interfere with future federation flows and degrade the wiki's overall reputation due to the appearance of receiving signed content from a remote, yet attacker-controlled, actor.
Recommendation
- Patch YesWiki instances immediately to version 4.6.6 or higher to address CVE-2026-52767.
- Deploy the Sigma rule
Detect Unauthenticated YesWiki ActivityPub Inbox Accessto your SIEM to monitor for suspicious POST requests to the/api/forms/*/actor/inboxendpoint, which is a key part of the attack chain. - Monitor web server logs for HTTP POST requests to the
/api/forms/{id}/actor/inboxendpoint withContent-Type: application/activity+jsonthat may indicate attempted exploitation of CVE-2026-52767.
Detection coverage 1
Detect Unauthenticated YesWiki ActivityPub Inbox Access
highDetects CVE-2026-52767 exploitation - Unauthenticated POST requests to YesWiki's ActivityPub inbox endpoint, indicating potential signature bypass attempts or malicious activity. This serves as a general indicator for the attack chain.
Detection queries are available on the platform. Get full rules →