CVE-2026-25808 identifies a missing authorization vulnerability (CWE-862) in Hollo, a federated single-user microblogging software that operates via the ActivityPub protocol. Hollo versions prior to 0.6.20 and between 0.7.0 and 0.7.2 fail to enforce proper access controls on the ActivityPub outbox endpoint, which is responsible for delivering user content such as direct messages (DMs) and followers-only posts. Due to this flaw, any unauthenticated remote attacker can retrieve sensitive private communications and restricted posts by querying the outbox endpoint, bypassing intended privacy restrictions. The vulnerability does not require any privileges or user interaction, making it trivially exploitable over the network. The CVSS v3.1 score of 7.5 reflects a high severity primarily due to the complete confidentiality breach, while integrity and availability remain unaffected. The issue was publicly disclosed on February 9, 2026, and fixed in Hollo versions 0.6.20 and 0.7.2. No public exploits have been reported yet, but the simplicity of exploitation and the nature of exposed data make it a critical privacy concern. Hollo’s federated architecture means that compromised nodes could leak private data across the network, amplifying the impact. Organizations using Hollo for internal or public federated microblogging should prioritize patching and review their ActivityPub endpoint configurations to prevent unauthorized data disclosure.

For European organizations, the primary impact is the unauthorized disclosure of sensitive private communications and restricted posts, which can lead to privacy violations, reputational damage, and potential regulatory non-compliance under GDPR. Since Hollo is designed for federated social networking, exposure of direct messages and followers-only content can compromise confidential organizational discussions or personal user data. This could facilitate targeted social engineering, espionage, or insider threat activities. Although the vulnerability does not affect data integrity or availability, the breach of confidentiality alone is significant, especially for organizations handling sensitive or regulated information. The federated nature of Hollo means that compromised instances could propagate privacy breaches across multiple organizations or communities. European entities relying on Hollo for internal communications or public federated services must consider the risk of data leakage to unauthorized third parties. The absence of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation and lack of authentication requirements increase the urgency of patching.

1. Immediately upgrade Hollo installations to version 0.6.20 or 0.7.2 or later, where the authorization checks on the ActivityPub outbox endpoint are properly enforced. 2. Until patches are applied, restrict network access to the ActivityPub outbox endpoint using firewall rules or reverse proxy configurations to limit exposure to trusted users only. 3. Conduct thorough audits of access logs to detect any unusual or unauthorized requests to the outbox endpoint that may indicate exploitation attempts. 4. Review and harden Hollo configuration settings related to ActivityPub federation and access control to minimize data exposure. 5. Educate users and administrators about the sensitivity of direct messages and followers-only posts and the importance of timely patching. 6. For organizations with multiple Hollo instances, implement network segmentation and monitoring to detect lateral data leakage. 7. Consider deploying additional application-layer security controls such as Web Application Firewalls (WAFs) to detect and block unauthorized access patterns targeting the outbox endpoint. 8. Maintain an incident response plan to quickly address any detected data leakage or exploitation attempts.