diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 5b8c47ccd..5a6ffa156 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -482,6 +482,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     {:ok, activity}
   end
 
+  # We currently lack a Flag ObjectValidator since both CommonAPI and Transmogrifier
+  # both send it straight to ActivityPub.flag and C2S currently has to go through
+  # the normal pipeline which requires an ObjectValidator.
+  # TODO: Add a Flag Activity ObjectValidator
+  defp validate_visibility(_, %{"type" => "Flag"}) do
+    {:error, "Flag activities aren't currently supported in C2S"}
+  end
+
   defp validate_visibility(%User{} = user, %{"type" => type, "object" => object} = activity) do
     with {_, %Object{} = normalized_object} <-
            {:normalize, Object.normalize(object, fetch: false)},
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
index adb65431c..0f7b199fb 100644
--- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -1712,6 +1712,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)
 
@@ -1737,6 +1738,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)
 
@@ -1762,6 +1764,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)