Released on February 10, 2026.
- Fixed a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. The outbox now only serves public and unlisted posts. Any unauthenticated request to the outbox could previously retrieve all posts regardless of their visibility setting. [CVE-2026-25808]