CVE-2026-33640
CRITICALOutline 0.86.0-1.5.x Email OTP - Rate Limit Bypass
Title source: manualDescription
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6
X_Refsource_Misc x_refsource_misc
https://github.com/outline/outline/releases/tag/v1.6.0
Scores
CVSS v3
9.8
EPSS
0.0047
EPSS Percentile
36.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-307
Status
published
Products (2)
getoutline/outline
0.86.0 - 1.6.0
outline/outline
>= 0.86.0, < 1.6.0
Published
Mar 26, 2026
Tracked Since
Mar 27, 2026