diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index 2549affc7b..33a6f6f83b 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -287,8 +287,11 @@ inbox.follow = async (req) => {
 	const handle = await user.getUserField(actor, 'username');
 
 	if (type === 'user') {
-		const exists = await user.exists(id);
-		if (!exists) {
+		const [exists, allowed] = await Promise.all([
+			user.exists(id),
+			privileges.global.can('view:users', activitypub._constants.uid),
+		]);
+		if (!exists || !allowed) {
 			throw new Error('[[error:invalid-uid]]');
 		}