CVE-2026-41649

HIGH

Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces

Title source: cna
STIX 2.1

Description

Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.

References (3)

Scores

CVSS v3 7.7
EPSS 0.0003
EPSS Percentile 7.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (1)
outline/outline >= 0.86.0, < 1.7.0
Published Apr 28, 2026
Tracked Since Apr 29, 2026