CVE-2026-41649
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the documents.info endpoint. Version 1.7.0 contains a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| outline | outline | >= 0.86.0, < 1.7.0 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7
- https://github.com/outline/outline/commit/1b91a295e10f58a1088c54f533773788325ff460
- https://github.com/outline/outline/releases/tag/v1.7.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.