diff --git a/changelog/unreleased/forbid-activities-for-sharees.md b/changelog/unreleased/forbid-activities-for-sharees.md
new file mode 100644
index 00000000000..ca7d7620539
--- /dev/null
+++ b/changelog/unreleased/forbid-activities-for-sharees.md
@@ -0,0 +1,5 @@
+Bugfix: Forbid Activities for Sharees
+
+Sharees may not see item activities. We now bind it to ListGrants permission.
+
+https://github.com/owncloud/ocis/pull/10136
diff --git a/services/activitylog/pkg/service/http.go b/services/activitylog/pkg/service/http.go
index 543c85e0e2a..3405d82e0f9 100644
--- a/services/activitylog/pkg/service/http.go
+++ b/services/activitylog/pkg/service/http.go
@@ -67,12 +67,18 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
-	_, err = utils.GetResourceByID(ctx, rid, gwc)
+	info, err := utils.GetResourceByID(ctx, rid, gwc)
 	if err != nil {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
 
+	// you need ListGrants to see activities
+	if !info.GetPermissionSet().GetListGrants() {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	raw, err := s.Activities(rid)
 	if err != nil {
 		s.log.Error().Err(err).Msg("error getting activities")