CVE-2026-43889 - Vulnerability Details

- Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share

Description

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

Published: 2026-05-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Outline allows collaborative documents to be shared via an API that, before version 1.7.0, accepts both a collection and a document identifier in the same request. When the created share is set to unpublished, the system only checks that the requester can read the collection and the document, but it does not enforce that the requester actually has share permission on either. Later, updating the share to publish uses an OR policy—requires share permission on either the collection or the document—to decide whether publication is allowed. An attacker who can share a different collection can therefore create a published share that exposes any document they can read but cannot normally share, making that document publicly available to anyone.

Affected Systems

The Outline collaboration platform is affected, specifically any installation using a version older than 1.7.0. The vulnerable behavior is limited to the shares.create and shares.update API endpoints.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is unavailable so the current exploit probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a legitimate authenticated attacker who has share permissions on an unrelated collection; by invoking the create and update share APIs they can anonymously publish content they should not be able to expose.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

outline

affected

Version	Status	Constraints
`< 1.7.0`	affected	—

No data.

Vendor Product Confidence Versions

Getoutline

Outline

91%

Version	Status	Scheme	Platform
`[0,1.7.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Outline to version 1.7.0 or later to eliminate this flaw
Review and restrict share permissions on collections to prevent unintended publishing rights
Audit existing shares for public status and remove any that expose unintended documents
Monitor API usage logs for suspicious share creation patterns

Generated by OpenCVE AI on May 11, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/outline/outline/security/advisories/GHSA-rg4j-pmch-w6pm

History

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getoutline Getoutline outline
Vendors & Products		Getoutline Getoutline outline

Mon, 11 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.
Title		Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share
Weaknesses		CWE-863
References		https://github.com/outline/outline/security/advisories/GHSA-rg4j-pmch-w6pm
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Getoutline Outline

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T21:10:38.105Z

Updated: 2026-05-12T13:38:04.105Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43889

Vulnrichment

Updated: 2026-05-12T13:37:53.750Z

NVD

Status : Deferred

Published: 2026-05-11T22:22:13.760

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43889

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object