Description
Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue.
Published: 2026-03-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the events.list API endpoint of Outline, which is intended to return activity logs. Due to a logic flaw in the filtering mechanism, any authenticated user can request events for documents that have no collection, such as Private Drafts or Deleted Documents. The API then returns metadata including Document IDs, activity timestamps, and occasionally the Document Title for permanently deleted items. This information disclosure can be leveraged to enumerate private drafts and, by revealing valid Document IDs, facilitate IDOR attacks, enabling an attacker to restore or manipulate deleted drafts. The weakness corresponds to CWE-200 (Information Exposure).

Affected Systems

Affected product: Outline (getoutline:outline). Versions prior to 1.5.0 are vulnerable. The CVE does not specify additional vendors or product variants; only the Outline service is impacted.

Risk and Exploitability

The CVSS score is 4.3, indicating a low‑to‑moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. Outline is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user, and the attacker can enumerate private drafts and potentially perform IDOR operations by using the exposed Document IDs. Because the credential requirement is low (any authenticated user) and the attack complexity is straightforward, the risk is considered moderate, but overall impact remains limited to information disclosure and potential downstream IDOR weaknesses.

Generated by OpenCVE AI on March 19, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.5.0 or later
  • Verify the upgrade succeeded and that events.list responses no longer expose private draft metadata

Generated by OpenCVE AI on March 19, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getoutline:outline:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue.
Title Outline's Information Disclosure in Activity Logs allows User Enumeration of Private Drafts
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:45:17.053Z

Reserved: 2026-02-27T20:57:47.709Z

Link: CVE-2026-28506

cve-icon Vulnrichment

Updated: 2026-03-17T15:45:10.743Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T16:16:20.940

Modified: 2026-03-19T19:32:27.067

Link: CVE-2026-28506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:11Z

Weaknesses