Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() — it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Outline’s subscriptions.create endpoint suffers a classic IDOR whereby a user can request a subscription to a private document they cannot read. When both collectionId and documentId are supplied, the handler mistakenly authorizes only the collection level, while the downstream command records the subscription directly against the supplied document ID. This allows an attacker to create a subscription to any private document, potentially gaining notification access, co‑listing, and other metadata exposures. The vulnerability is a textbook example of CWE‑639: Authorization Bypass via Privilege Escalation.

Affected Systems

Outline Outline, versions 0.84.0 through 1.7.0 inclusive. Any instance that exposes the subscriptions.create API during that version range is affected. The issue was resolved in version 1.7.1.

Risk and Exploitability

The CVSS score of 7.7 flags this as a high‑severity flaw. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited public exploitation. An attacker must be authenticated and craft an HTTP POST request to the subscriptions.create endpoint, providing both a collectionId and a documentId that triggers the broken authorization path. The attack requires no additional privileges beyond a legitimate user account and can be performed remotely via the API, making it relatively low effort but with non‑trivial impact in environments with many private documents.

Generated by OpenCVE AI on May 12, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.7.1 or later to patch the broken authorization check on subscriptions.create.
  • Identify and revoke any subscriptions that were created on private documents without proper read permissions, using the administrative interface or API.
  • Restrict or disable the subscriptions.create endpoint for users who do not have explicit document‑level read access, and audit logs for unexpected subscription creations.

Generated by OpenCVE AI on May 12, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() — it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.
Title Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T21:09:00.286Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43890

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:13.900

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses