CVE-2026-43889
MEDIUMOutline: Unauthorized Document Publication via Mixed collectionId+documentId Share
Title source: cnaDescription
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/outline/outline/security/advisories/GHSA-rg4j-pmch-w6pm
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
11.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
outline/outline
< 1.7.0
Published
May 11, 2026
Tracked Since
May 12, 2026