diff --git a/upub/core/src/traits/process.rs b/upub/core/src/traits/process.rs
index 4ad0689c..6f21e5a4 100644
--- a/upub/core/src/traits/process.rs
+++ b/upub/core/src/traits/process.rs
@@ -259,6 +259,9 @@ pub async fn update(ctx: &crate::Context, activity: impl apb::Activity, tx: &Dat
 
 	match object_node.object_type()? {
 		apb::ObjectType::Actor(_) => {
+			if oid != actor_id {
+				return Err(ProcessorError::Unauthorized);
+			}
 			let internal_uid = crate::model::actor::Entity::ap_to_internal(&oid, tx)
 				.await?
 				.ok_or(ProcessorError::Incomplete)?;