Description
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.
Published: 2026-03-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private drafts and ownership seizure
Action: Apply Patch
AI Analysis

Impact

Outline’s document restoration logic before version 1.4.0 contains an insecure direct object reference (IDOR) that lets any authenticated team member restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. This flaw bypasses ownership validation, allowing attackers to read sensitive private content and lock the original owner out of their own documents. The primary impact is the compromise of confidentiality and omission of proper authorization controls, categorised as CWE‑639.

Affected Systems

The affected product is Outline by getoutline. All deployments running any version prior to 1.4.0 are vulnerable, regardless of environment or deployment method. Versions 1.4.0 and later include the fix.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity vulnerability, while the EPSS score of less than 1 % indicates a low current probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated team members with access to the collaboration platform; the exploit requires interaction with the document restoration endpoint to trigger the IDOR. If successfully exploited, the attacker gains unauthorized information disclosure and ownership control over deleted documents.

Generated by OpenCVE AI on March 19, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.4.0 or later

Generated by OpenCVE AI on March 19, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getoutline:outline:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.
Title Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:46:23.976Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24901

cve-icon Vulnrichment

Updated: 2026-03-17T15:46:13.467Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T16:16:20.350

Modified: 2026-03-19T19:32:41.090

Link: CVE-2026-24901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:12Z

Weaknesses