Hubzilla version 11.2.1 contains an important fix for a security issue that would in some cases allow a malicious actor to alter an activity (such as a Like or Announce/Repeat, etc) without affecting the cryptographic signature of the activity. This could caue potential unauthenticated activities to be injected into the system.
Only activities coming from other fediverse software relying on
LD-Signatures are affected. Hubzilla defaults to using the more robust
Data Integrity Proofs where available, such as between Hubzilla instances. In addition, the way Hubzilla normalizes the incoming messages before validating the signature mitigated most of the attack vectors, while some would still affect us.
In version 11.2.1 further mitigations has been implemented, so that we will reject activities containing any of the potentially dangerous keywords before even trying to validate the signature.
Thanks to the Mastodon security team for reporting this issue, and helping us understand how the attack work. See also
their announcement about the issue.
- CVE: CVE-2026-46349
- Severity: 5.3 (Medium)
- Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
- Vulnerable component: PubCrawl (ActivityPub addon)
- Vulnerable version: Up to and including 11.2
- Fixed in: 11.2.1
