PatchSiren cyber security CVE debrief
CVE-2026-42462 fedify-dev CVE debrief
CVE-2026-42462 is a HIGH severity vulnerability in Fedify, a TypeScript library for building federated server apps. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. This vulnerability has a CVSS score of 7 and is considered HIGH severity. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- fedify-dev
- Product
- fedify
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Fedify library versions prior to 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability allows an attacker to bypass JSON-LD signature verification by restructuring a JSON-LD document without changing its Linked Data Signature. This could allow an attacker to alter a third-party signed activity they have received.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fedify library versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, or 2.2.3 or later.
- Review and update any third-party signed activities received to ensure they have not been altered.
Evidence notes
The CVE record [resourceLinkAnnotations:cve-org] and NVD detail [resourceLinkAnnotations:nvd] provide additional information about this vulnerability.
Official resources
CVE-2026-42462 was published on 2026-06-10T22:16:57.387Z and last modified on 2026-06-11T15:34:28.757Z.