CVE-2026-25808
📋 TL;DR
This vulnerability in Hollo microblogging software exposes private direct messages and followers-only posts through the ActivityPub outbox endpoint without proper authorization. Any Hollo instance running vulnerable versions is affected, potentially exposing sensitive user communications to unauthorized access.
💻 Affected Systems
- Hollo
📦 What is this software?
Hollo by Fedify
Hollo by Fedify
⚠️ Risk & Real-World Impact
Worst Case
All private direct messages and followers-only posts become publicly accessible, leading to complete privacy breach, exposure of sensitive communications, and potential blackmail or reputational damage.
Likely Case
Unauthorized users can access private messages and restricted posts, violating user privacy expectations and potentially exposing sensitive information.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users only, maintaining privacy of communications.
🎯 Exploit Status
Exploitation requires access to the ActivityPub outbox endpoint which is typically publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.20 or 0.7.2
Vendor Advisory: https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5
Restart Required: Yes
Instructions:
1. Backup your Hollo instance data. 2. Update to version 0.6.20 (for 0.6.x branch) or 0.7.2 (for 0.7.x branch). 3. Restart the Hollo service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict outbox endpoint access
allUse web server configuration to restrict access to the ActivityPub outbox endpoint
# For nginx: location ~ /outbox { deny all; }
# For Apache: <Location /outbox> Require all denied </Location>
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to the Hollo instance
- Monitor outbox endpoint access logs for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Hollo version. If version is below 0.6.20 (for 0.6.x) or below 0.7.2 (for 0.7.x), the system is vulnerable.Check Version:
Check Hollo configuration or package manager for version informationVerify Fix Applied:
After patching, verify version is 0.6.20 or higher (0.6.x branch) or 0.7.2 or higher (0.7.x branch). Test that private DMs and followers-only posts are no longer accessible via outbox endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /outbox endpoint
- Requests for private message content from unauthorized sources
Network Indicators:
- HTTP requests to outbox endpoint from unexpected sources
- Unusual data exfiltration patterns
SIEM Query:
source="hollo_logs" AND (uri_path="/outbox" OR uri_path LIKE "/outbox/%") AND (user_agent NOT IN expected_clients OR src_ip NOT IN allowed_ips)