diff --git a/changelog/unreleased/fix-acitivity-leak.md b/changelog/unreleased/fix-acitivity-leak.md
new file mode 100644
index 00000000000..eec8a1aba31
--- /dev/null
+++ b/changelog/unreleased/fix-acitivity-leak.md
@@ -0,0 +1,5 @@
+Bugfix: Fix Activities leak
+
+Fix activities endpoint by preventing unauthorized users to get activities
+
+https://github.com/owncloud/ocis/pull/10092
diff --git a/services/activitylog/pkg/service/http.go b/services/activitylog/pkg/service/http.go
index deaebe94658..2c3139e18a9 100644
--- a/services/activitylog/pkg/service/http.go
+++ b/services/activitylog/pkg/service/http.go
@@ -53,6 +53,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
+	gwc, err := s.gws.Next()
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
 	rid, limit, rawActivityAccepted, activityAccepted, sort, err := s.getFilters(r.URL.Query().Get("kql"))
 	if err != nil {
 		s.log.Info().Str("query", r.URL.Query().Get("kql")).Err(err).Msg("error getting filters")
@@ -61,6 +67,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
+	_, err = utils.GetResourceByID(ctx, rid, gwc)
+	if err != nil {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	raw, err := s.Activities(rid)
 	if err != nil {
 		s.log.Error().Err(err).Msg("error getting activities")