{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25808", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.642Z", "datePublished": "2026-02-09T21:50:10.579Z", "dateUpdated": "2026-02-10T21:23:34.888Z"}, "containers": {"cna": {"title": "Hollo DMs get leaked and can be seen on Webfinger Browser", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5"}, {"name": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e"}, {"name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20"}, {"name": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2"}], "affected": [{"vendor": "fedify-dev", "product": "hollo", "versions": [{"version": "< 0.6.20, 0.7.2", "status": "affected"}, {"version": ">= 7.0.0, < 0.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:50:10.579Z"}, "descriptions": [{"lang": "en", "value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2."}], "source": {"advisory": "GHSA-6r2w-3pcj-v4v5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T21:23:28.921772Z", "id": "CVE-2026-25808", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T21:23:34.888Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25808", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T21:23:28.921772Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T21:23:32.292Z"}}], "cna": {"title": "Hollo DMs get leaked and can be seen on Webfinger Browser", "source": {"advisory": "GHSA-6r2w-3pcj-v4v5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "fedify-dev", "product": "hollo", "versions": [{"status": "affected", "version": "< 0.6.20, 0.7.2"}, {"status": "affected", "version": ">= 7.0.0, < 0.7.2"}]}], "references": [{"url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5", "name": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e", "name": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20", "name": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2", "name": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:50:10.579Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25808", "state": "PUBLISHED", "dateUpdated": "2026-02-10T21:23:34.888Z", "dateReserved": "2026-02-05T19:58:01.642Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T21:50:10.579Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedify:hollo:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1422F95-7A77-4327-B1F1-95B79678E9AB", "versionEndExcluding": "0.6.20", "versionStartIncluding": "0.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedify:hollo:*:*:*:*:*:*:*:*", "matchCriteriaId": "10E08CBE-B4F8-4DF9-A84F-BCC0BAEF3A4C", "versionEndExcluding": "0.7.2", "versionStartIncluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2."}, {"lang": "es", "value": "Hollo es un software de microblogging de un solo usuario federado dise\u00f1ado para ser federado a trav\u00e9s de ActivityPub. Antes de 0.6.20 y 0.7.2, existe una vulnerabilidad de seguridad donde los mensajes directos (MD) y las publicaciones solo para seguidores fueron expuestos a trav\u00e9s del endpoint de bandeja de salida de ActivityPub sin autorizaci\u00f3n. Esta vulnerabilidad est\u00e1 corregida en 0.6.20 y 0.7.2."}], "id": "CVE-2026-25808", "lastModified": "2026-02-28T00:17:33.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T22:16:02.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/fedify-dev/hollo/releases/tag/0.6.20"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/fedify-dev/hollo/releases/tag/0.7.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "< 0.6.20, 0.7.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": ">= 7.0.0, < 0.7.2"}}], "product": "hollo", "vendor": "fedify-dev"}], "analysis": {"en": {"generated_at": "2026-04-18T12:56:56.189719+00:00", "value": {"mitigation_remediation": ["Upgrade Hollo to version 0.6.20 or later, or 0.7.2 or later, which contains the fix for the unauthorized disclosure.", "Configure the ActivityPub outbox endpoint so that only authenticated users can access private messages; ensure the endpoint is not publicly reachable by unauthenticated traffic.", "Review the privacy settings for direct messages and follower\u2011only posts to confirm that no other configuration exposes them through the outbox."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Disclosure of Private Messages"}, "threat_synthesis": {"affected_systems": "Vendors: fedify-dev for Hollo. Affected versions include all releases prior to 0.6.20 and 0.7.2; specifically Hollo 0.6.x older than 0.6.20 and Hollo 0.7.x older than 0.7.2 are vulnerable.", "description_and_impact": "A flaw in Hollo\u2019s ActivityPub outbox endpoint allows any unauthenticated user to retrieve direct messages and follower\u2011only posts, exposing private content that is meant to be protected. The weakness falls under Unauthorized Access (CWE\u2011862) and primarily threatens confidentiality by letting attackers view confidential communications.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7.5, indicating a high likelihood of impact if exploited. The EPSS score is below 1%, suggesting a low current exploitation probability, and it is not listed in the CISA KEV catalog. Exploitability requires only access to the public outbox endpoint; no authentication is needed. An attacker can retrieve private messages by querying the outbox endpoint and observing the returned ActivityPub payload."}}}}, "created": "2026-02-10T11:34:56.695005+00:00", "updated": "2026-04-18T13:00:08.766795+00:00", "vendors": ["fedify-dev", "fedify-dev$PRODUCT$hollo"]}