Description
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
Published: 2026-02-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Private Messages
Action: Apply Patch
AI Analysis

Impact

A flaw in Hollo’s ActivityPub outbox endpoint allows any unauthenticated user to retrieve direct messages and follower‑only posts, exposing private content that is meant to be protected. The weakness falls under Unauthorized Access (CWE‑862) and primarily threatens confidentiality by letting attackers view confidential communications.

Affected Systems

Vendors: fedify-dev for Hollo. Affected versions include all releases prior to 0.6.20 and 0.7.2; specifically Hollo 0.6.x older than 0.6.20 and Hollo 0.7.x older than 0.7.2 are vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 7.5, indicating a high likelihood of impact if exploited. The EPSS score is below 1%, suggesting a low current exploitation probability, and it is not listed in the CISA KEV catalog. Exploitability requires only access to the public outbox endpoint; no authentication is needed. An attacker can retrieve private messages by querying the outbox endpoint and observing the returned ActivityPub payload.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hollo to version 0.6.20 or later, or 0.7.2 or later, which contains the fix for the unauthorized disclosure.
  • Configure the ActivityPub outbox endpoint so that only authenticated users can access private messages; ensure the endpoint is not publicly reachable by unauthenticated traffic.
  • Review the privacy settings for direct messages and follower‑only posts to confirm that no other configuration exposes them through the outbox.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Fedify
Fedify hollo
CPEs cpe:2.3:a:fedify:hollo:*:*:*:*:*:*:*:*
Vendors & Products Fedify
Fedify hollo

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Fedify-dev
Fedify-dev hollo
Vendors & Products Fedify-dev
Fedify-dev hollo

Mon, 09 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
Title Hollo DMs get leaked and can be seen on Webfinger Browser
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fedify Hollo
Fedify-dev Hollo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T21:23:34.888Z

Reserved: 2026-02-05T19:58:01.642Z

Link: CVE-2026-25808

cve-icon Vulnrichment

Updated: 2026-02-10T21:23:32.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:02.440

Modified: 2026-02-28T00:17:33.850

Link: CVE-2026-25808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses