{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-42462/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@fedify/fedify (\u003c 2.2.3)"],"_cs_severities":["medium"],"_cs_tags":["fedify","ld-signature-bypass","json-ld","cve-2026-42462"],"_cs_type":"advisory","_cs_vendors":["Fedify"],"content_html":"\u003cp\u003eFedify is susceptible to a critical vulnerability that allows attackers to bypass Linked Data Signatures through JSON-LD Named-Graph Restructuring. This issue stems from the ability to manipulate the structure of JSON-LD documents using features like \u003ccode\u003e@graph\u003c/code\u003e, \u003ccode\u003e@included\u003c/code\u003e, and \u003ccode\u003e@reverse\u003c/code\u003e without invalidating the signature. An attacker can move signed activities, alter their content, or even replace them entirely, leading to significant security implications. The vulnerability impacts Fedify versions prior to 2.2.3. Failure to compact JSON-LD documents against an application\u0026rsquo;s local context allows renaming aliases to non-standard names and use non-mapped aliases to replace existing values. This bypass poses a risk to the integrity and confidentiality of data processed by Fedify, as it can be exploited to forge activities. The vulnerability is identified as CVE-2026-42462.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious JSON-LD document with a signed Activity.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes JSON-LD features like \u003ccode\u003e@graph\u003c/code\u003e to move the top-level Activity to a \u003ccode\u003e@graph\u003c/code\u003e property and moves the activity\u0026rsquo;s \u003ccode\u003eobject\u003c/code\u003e to the top level.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker employs the \u003ccode\u003e@reverse\u003c/code\u003e keyword to reverse an Activity and its \u003ccode\u003eobject\u003c/code\u003e, changing the document\u0026rsquo;s shape.\u003c/li\u003e\n\u003cli\u003eThe attacker can also use the \u003ccode\u003e@included\u003c/code\u003e keyword to move properties outside the normal tree, effectively making them invisible to ActivityPub implementations.\u003c/li\u003e\n\u003cli\u003eThe crafted JSON-LD document bypasses signature verification due to the canonical RDF graph representation remaining unchanged.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Fedify instance processes the manipulated document without detecting the tampering.\u003c/li\u003e\n\u003cli\u003eIf compacting is disabled, the attacker can rename aliases or use non-mapped aliases to replace existing values in the signed JSON-LD document.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully alters or forges activities, potentially leading to replay attacks with stripped attributes, content modification, or even complete activity replacement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of this vulnerability can lead to significant security breaches. With the \u003ccode\u003e@included\u003c/code\u003e keyword, attackers can replay \u003ccode\u003eCreate\u003c/code\u003e and \u003ccode\u003eUpdate\u003c/code\u003e activities while stripping away critical attributes like content or metadata, leading to integrity and availability issues. The \u003ccode\u003e@graph\u003c/code\u003e and \u003ccode\u003e@reverse\u003c/code\u003e keywords enable changing the root activity, which could allow sending malicious announcements. The lack of compacting against an application\u0026rsquo;s local context allows attackers to rewrite activities arbitrarily. The exploitation can lead to major integrity, availability, and potentially confidentiality issues, such as replacing an actor\u0026rsquo;s inbox. The \u003ccode\u003e@fedify/fedify\u003c/code\u003e package versions less than 2.2.3 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@fedify/fedify\u003c/code\u003e version 2.2.3 or later to patch CVE-2026-42462.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to reject JSON-LD documents containing \u003ccode\u003e@graph\u003c/code\u003e, \u003ccode\u003e@included\u003c/code\u003e, or \u003ccode\u003e@reverse\u003c/code\u003e after compaction, as described in the overview.\u003c/li\u003e\n\u003cli\u003eEnsure JSON-LD documents with verified Linked Data Signatures are compacted against the application\u0026rsquo;s local JSON-LD context to prevent alias manipulation, mitigating the risk described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fedify JSON-LD Restructuring Attack\u0026rdquo; to monitor for exploitation attempts using \u003ccode\u003e@graph\u003c/code\u003e, \u003ccode\u003e@included\u003c/code\u003e, and \u003ccode\u003e@reverse\u003c/code\u003e keywords in JSON-LD payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:40:10Z","date_published":"2026-05-26T23:40:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fedify-ld-signature-bypass/","summary":"Fedify is vulnerable to CVE-2026-42462, a Linked Data Signature bypass via JSON-LD Named-Graph Restructuring, allowing attackers to alter third-party signed activities by manipulating the document structure without invalidating the signature, potentially leading to integrity, availability, and confidentiality issues.","title":"Fedify LD-Signature Bypass via JSON-LD Named-Graph Restructuring","url":"https://feed.craftedsignal.io/briefs/2026-05-fedify-ld-signature-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-42462","version":"https://jsonfeed.org/version/1.1"}