Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.
Published: 2026-05-11
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in Outline's OAuthInterface.validateScope() allows a single valid scope to authorize the entire requested scope set, enabling an attacker to inject the wildcard * scope and upgrade a read‑only token to full unrestricted API access, including write, delete, and admin operations.

Affected Systems

Outline documentation platform, versions 0.84.0 through 1.6.1, inclusive. All releases prior to 1.7.0 are affected; version 1.7.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability. Exploitation requires the ability to request OAuth scopes, which an attacker can achieve by manipulating the scope parameter in the authentication request. This flaw directly violates proper scope validation (CWE‑269) and results in privilege escalation. The EPSS score is not available; the vulnerability is not listed in CISA KEV, but its impact and accessible attack vector warrant immediate remediation.

Generated by OpenCVE AI on May 11, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Outline release 1.7.0 or later to fully resolve the scope validation bug
  • If an immediate upgrade is not possible, restrict OAuth tokens to non‑wildcard scopes and enforce tighter scope validation logic in the deployment environment
  • Monitor OAuth token requests for unexpected scope values and audit authorization logs for privilege escalation attempts

Generated by OpenCVE AI on May 11, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.
Title Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:20:35.103Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43886

cve-icon Vulnrichment

Updated: 2026-05-12T13:20:22.502Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:13.350

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses