CVE-2026-42462: Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

May 26, 2026 (updated June 11, 2026)

An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received.

References

github.com/advisories/GHSA-9rfg-v8g9-9367
github.com/fedify-dev/fedify/releases/tag/2.2.3
github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367
nvd.nist.gov/vuln/detail/CVE-2026-42462

Code Behaviors & Features

Detect and mitigate CVE-2026-42462 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →