CVE-2026-25808 is a missing authorization vulnerability (CWE-862) found in Hollo, a federated single-user microblogging software that utilizes the ActivityPub protocol for federation. The flaw exists in versions prior to 0.6.20 and 0.7.2, where the ActivityPub outbox endpoint fails to enforce proper access controls. This endpoint is responsible for serving user-generated content such as direct messages (DMs) and followers-only posts. Due to the missing authorization checks, any remote attacker can retrieve sensitive private messages and restricted posts without authentication or user interaction. The vulnerability impacts confidentiality by exposing private communications to unauthorized parties, but does not affect data integrity or system availability. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. Although no known exploits are reported in the wild, the vulnerability poses a significant privacy risk, especially in environments where sensitive or confidential communications occur. The issue was addressed in Hollo versions 0.6.20 and 0.7.2 by implementing proper authorization checks on the ActivityPub outbox endpoint to restrict access to authorized followers only. Organizations running affected versions should prioritize upgrading to these patched releases to prevent unauthorized data disclosure. Additionally, reviewing federation configurations and monitoring access logs for unusual activity is recommended to detect potential exploitation attempts.

For European organizations, this vulnerability threatens the confidentiality of private communications within Hollo instances, potentially exposing sensitive direct messages and followers-only content to unauthorized external parties. This could lead to privacy violations, reputational damage, and regulatory non-compliance, especially under GDPR requirements concerning personal data protection. Organizations using Hollo for internal or community communications may inadvertently leak confidential information, undermining trust and operational security. The federated nature of Hollo increases the attack surface, as malicious actors can remotely query vulnerable endpoints without authentication. While integrity and availability remain unaffected, the breach of confidentiality alone is critical given the sensitivity of direct messages. The impact is particularly severe for sectors handling sensitive data such as government agencies, NGOs, and enterprises relying on federated social platforms for communication. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

1. Immediately upgrade all Hollo instances to version 0.6.20 or 0.7.2 or later, where the authorization flaw is fixed. 2. Audit existing ActivityPub outbox endpoint configurations to ensure proper access controls are enforced, restricting content visibility to authorized followers only. 3. Implement network-level monitoring and logging to detect unusual access patterns to the outbox endpoint, which may indicate exploitation attempts. 4. Educate users and administrators about the sensitivity of direct messages and followers-only posts, encouraging cautious sharing until patches are applied. 5. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized requests targeting the outbox endpoint as an interim protective measure. 6. Review federation partner configurations to ensure they do not inadvertently expose private data through federation protocols. 7. Establish incident response procedures to quickly address any detected unauthorized data access. 8. Regularly monitor Hollo project updates and security advisories for any further patches or related vulnerabilities.