CVE-2026-25808 Overview
CVE-2026-25808 is an authorization bypass vulnerability in Hollo, a federated single-user microblogging software that leverages the ActivityPub protocol for federation. Prior to versions 0.6.20 and 0.7.2, the application exposed private content—including direct messages (DMs) and followers-only posts—through the ActivityPub outbox endpoint without proper authorization checks.
Critical Impact
Unauthorized access to private messages and restricted posts through the ActivityPub outbox endpoint, potentially exposing sensitive user communications to any unauthenticated remote actor.
Affected Products
- Hollo versions prior to 0.6.20
- Hollo versions 0.7.x prior to 0.7.2
- All Hollo instances using the ActivityPub outbox endpoint without the security patch
Discovery Timeline
- 2026-02-09 - CVE-2026-25808 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25808
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), which occurs when a software component does not perform an authorization check when an actor attempts to access a resource or perform an action. In the context of Hollo, the ActivityPub outbox endpoint—designed to serve a user's public posts to federated servers—failed to filter out private content types before returning results.
The ActivityPub protocol defines an outbox as a collection of outgoing activities from an actor. While public posts should be accessible to any requesting party, private content such as direct messages and followers-only posts require proper authorization verification before disclosure. The vulnerable code path returned all posts belonging to an account owner without validating the visibility settings of each post.
Root Cause
The root cause stems from a missing authorization check in the database query that retrieves posts for the ActivityPub outbox. The original implementation queried posts based solely on the account ID without filtering by visibility level. This meant that posts with private, direct, or followers visibility settings were included in outbox responses alongside public and unlisted posts.
Attack Vector
An attacker could exploit this vulnerability by sending unauthenticated requests to the ActivityPub outbox endpoint of any Hollo instance. The attack is network-based and requires no authentication, no user interaction, and low complexity to execute. By querying the outbox endpoint with pagination parameters, an attacker could enumerate and retrieve all posts—including sensitive private communications—from any user on the vulnerable instance.
});
if (owner == null) return null;
const items = await db.query.posts.findMany({
- where: eq(posts.accountId, owner.id),
+ where: and(
+ eq(posts.accountId, owner.id),
+ inArray(posts.visibility, ["public", "unlisted"]),
+ ),
orderBy: desc(posts.published),
offset: Number.parseInt(cursor),
limit: 41,
Source: GitHub Commit 329969c
The patch adds a visibility filter to the database query, ensuring only public and unlisted posts are returned through the outbox endpoint. Posts marked as private, direct, or followers are now properly excluded from unauthenticated outbox responses.
Detection Methods for CVE-2026-25808
Indicators of Compromise
- Unusual volume of requests to ActivityPub outbox endpoints (/users/{username}/outbox)
- Access patterns showing systematic pagination through outbox collections
- Requests to outbox endpoints from unfamiliar or suspicious federated instances
- Anomalous traffic patterns targeting user outbox endpoints without corresponding authentication
Detection Strategies
- Monitor web server access logs for high-frequency requests to /outbox endpoints
- Implement rate limiting on ActivityPub endpoints to detect enumeration attempts
- Review audit logs for bulk data retrieval patterns against user activity streams
- Deploy application-layer monitoring to flag unauthenticated access to sensitive content types
Monitoring Recommendations
- Enable detailed logging for all ActivityPub federation endpoints
- Set up alerts for abnormal request volumes targeting outbox collections
- Audit historical access logs to identify potential prior exploitation
- Monitor for data exfiltration patterns in network traffic analysis tools
How to Mitigate CVE-2026-25808
Immediate Actions Required
- Upgrade Hollo to version 0.6.20 or 0.7.2 immediately
- Audit access logs to identify any potential unauthorized access to private content
- Notify affected users if evidence of exploitation is discovered
- Review all federated connections for suspicious activity
Patch Information
The vulnerability has been addressed in Hollo versions 0.6.20 and 0.7.2. The fix implements proper visibility filtering in the database query for the ActivityPub outbox endpoint, ensuring only public and unlisted posts are exposed. For detailed patch information, see the GitHub Security Advisory GHSA-6r2w-3pcj-v4v5 and the specific commit 329969c.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the ActivityPub outbox endpoint
- Implement a reverse proxy rule to block unauthenticated access to outbox endpoints
- Restrict outbox access to authenticated federated servers only via firewall rules
# Example nginx configuration to restrict outbox access
location ~ ^/users/.*/outbox {
# Temporarily deny all access until patched
deny all;
# Or implement IP allowlist for trusted federated servers
# allow 192.168.1.0/24;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
