Skip to content

Security-related tasks

Every command should be ran as the akkoma user from it's home directory. For example if you are superuser, you would have to wrap the command in su akkoma -s $SHELL -lc "$COMMAND".

From source note about MIX_ENV

The mix command should be prefixed with the name of environment your Akkoma server is running in, usually it's MIX_ENV=prod


Many of these tasks were written in response to a patched exploit. It is recommended to run those very soon after installing its respective security update. Over time with db migrations they might become less accurate or be removed altogether. If you never ran an affected version, there’s no point in running them.

Spoofed AcitivityPub objects exploit (2024-03, fixed in 3.11.1)

Search for uploaded spoofing payloads

Scans local uploads for spoofing payloads. If the instance is not using the local uploader it was not affected. Attachments wil be scanned anyway in case local uploader was used in the past.


This cannot reliably detect payloads attached to deleted posts.

./bin/pleroma_ctl security spoof-uploaded
mix spoof-uploaded

Search for counterfeit posts in database

Scans all notes in the database for signs of being spoofed.


Spoofs targeting local accounts can be detected rather reliably (with some restrictions documented in the task’s logs). Counterfeit posts from remote users cannot. A best-effort attempt is made, but a thorough attacker can avoid this and it may yield a small amount of false positives.

Should you find counterfeit posts of local users, let other admins know so they can delete the too.

./bin/pleroma_ctl security spoof-inserted
mix spoof-inserted