Impact
Outline’s AuthenticationHelper.canAccess verifies token scopes by examining the last path segment of the request’s original URL, but it mistakenly does not remove the URL fragment portion (# …). Since Koa’s router uses ctx.path, which strips fragments, routing operates on the intended endpoint while the scope check mistakenly evaluates against the fragment. By attaching a fragment that contains a path the token is authorized for—e.g., appending #foo/api/documents.info to a restricted endpoint such as /api/documents.create—an attacker can trick the authorization logic into succeeding. The result is a breach of intended scope and a privilege escalation. The flaw is a classic example of CWE‑863 (Authorization Bypass Through Function-Level Authorization).
Affected Systems
The issue affects the Outline application (service name: Outline) running any version prior to 1.8.0. All deployments using a pre‑1.8.0 release are vulnerable; no more granular sub‑version details are enumerated beyond the pre‑1.8.0 threshold.
Risk and Exploitability
The CVSS score of 5.3 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that publicly observed exploitation is currently low to moderate. The attack can be performed remotely by an attacker who has a valid but restricted‑scope API key or OAuth token. By crafting an HTTP request that appends a fragment containing a path the token is authorized for to a restricted endpoint, the attacker can bypass the scope check and perform actions beyond the intended privilege level. No additional privileges or server‑side credentials are needed to exploit the flaw.
OpenCVE Enrichment