Description
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Outline’s AuthenticationHelper.canAccess verifies token scopes by examining the last path segment of the request’s original URL, but it mistakenly does not remove the URL fragment portion (# …). Since Koa’s router uses ctx.path, which strips fragments, routing operates on the intended endpoint while the scope check mistakenly evaluates against the fragment. By attaching a fragment that contains a path the token is authorized for—e.g., appending #foo/api/documents.info to a restricted endpoint such as /api/documents.create—an attacker can trick the authorization logic into succeeding. The result is a breach of intended scope and a privilege escalation. The flaw is a classic example of CWE‑863 (Authorization Bypass Through Function-Level Authorization).

Affected Systems

The issue affects the Outline application (service name: Outline) running any version prior to 1.8.0. All deployments using a pre‑1.8.0 release are vulnerable; no more granular sub‑version details are enumerated beyond the pre‑1.8.0 threshold.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that publicly observed exploitation is currently low to moderate. The attack can be performed remotely by an attacker who has a valid but restricted‑scope API key or OAuth token. By crafting an HTTP request that appends a fragment containing a path the token is authorized for to a restricted endpoint, the attacker can bypass the scope check and perform actions beyond the intended privilege level. No additional privileges or server‑side credentials are needed to exploit the flaw.

Generated by OpenCVE AI on June 25, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outline to version 1.8.0 or later to deploy the vendor‑issued fix.
  • Configure your reverse proxy or edge server to strip URL fragments before forwarding requests to Outline, ensuring that the authentication helper receives a clean path that matches the routing path.
  • Implement or tighten fine‑grained scope validation middleware that maps the requested resource to the token’s authorized scopes, independent of the URL fragment, to guard against similar parsing issues in the future.

Generated by OpenCVE AI on June 25, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Getoutline
Getoutline outline
Vendors & Products Getoutline
Getoutline outline

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.
Title Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Getoutline Outline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:42:57.082Z

Reserved: 2026-06-15T19:15:27.343Z

Link: CVE-2026-54573

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:48.523Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses