Description
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue.
Published: 2026-03-26
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Account takeover
Action: Immediate Patch
AI Analysis

Impact

Outline’s email OTP login flow, which is used for users not linked to an Identity Provider, lacks proper invalidation of OTP codes after too many failed attempts. The application relies on a rate limiter to deter brute force, but a bypass in this limiter allows attackers to submit unlimited OTP attempts within the code’s lifetime. This flaw enables attackers to guess the short OTP code, achieving unauthorized access to a user’s account and compromising the system’s confidentiality and integrity.

Affected Systems

The affected product is Outline by Outline. The vulnerability is present in releases starting with version 0.86.0 and continuing through all versions prior to 1.6.0. Any deployment of Outline within that version range is susceptible to OTP brute‑force attacks.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating a high severity impact. EPSS data is not available, and the issue has not been listed in CISA’s KEV catalog. The likely attack vector is a brute‑force attempt that exploits the rate‑limit bypass, requiring only knowledge of the user’s email address and the OTP code during its validity period. Because of the unrestricted attempts, the likelihood of successful exploitation is significant in environments where Outline is accessible over the internet.

Generated by OpenCVE AI on March 26, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.6.0 or later
  • Verify that the OTP login flow now enforces code invalidation after failed attempts
  • Monitor access logs for abnormal OTP request patterns and block suspicious IPs if necessary

Generated by OpenCVE AI on March 26, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue.
Title Outline has a rate limit bypass that allows brute force of email login OTP
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:56:37.818Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33640

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:07.637

Modified: 2026-03-26T21:17:07.637

Link: CVE-2026-33640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:21Z

Weaknesses