Description
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
Published: 2026-04-28
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Outline’s shares.create API, versions 0.86.0 to 1.6.x allow an authenticated user to pass both collectionId and documentId. The authorization check validates only the collection, ignoring the document, enabling the attacker to generate a legitimate public share link for any document, even those in other workspaces. The resulting link can be used to retrieve full document content via documents.info, effectively disclosing sensitive information.

Affected Systems

The affected product is Outline, v0.86.0 through v1.6.x (inclusive). The fix was introduced in v1.7.0. Any deployment running a version in that range without the patch is susceptible.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity vulnerability, and the EPSS score is unavailable, so the current exploitation probability is unknown. The vulnerability is not listed in KEV, suggesting no widespread exploitation reported. Attackers need authenticated access to the Outline instance; once authenticated, they can invoke shares.create to create unauthorized share links. Because the abuse does not require elevated privileges beyond ordinary authenticated users, the risk surface is broad. Organizations should treat it as a moderate-to-high risk and act promptly.

Generated by OpenCVE AI on April 29, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.7.0 or later, which removes the IDOR bug.
  • Restrict the shares.create endpoint to administrators only until the upgrade can be applied, ensuring only trusted users can create share links.
  • Review and revoke any existing public share links that were created before the patch, and monitor for new unauthorized share creations.

Generated by OpenCVE AI on April 29, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
Title Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-29T13:12:25.759Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41649

cve-icon Vulnrichment

Updated: 2026-04-29T13:12:19.892Z

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:49.747

Modified: 2026-04-29T14:16:18.250

Link: CVE-2026-41649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses