CVE-2025-68663
WebSocket Authentication Bypass in Outline Allows Unauthorized Access
Publication date: 2026-02-11
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getoutline | outline | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing suspended users to continue accessing real-time WebSocket connections.
Such users can receive sensitive operational updates, including the contents of modified documents, which may lead to unauthorized information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-68663 is a high-severity vulnerability in Outline's WebSocket authentication mechanism affecting versions up to and including v1.0.1."}, {'type': 'paragraph', 'content': 'The flaw allows suspended users to bypass authentication controls and maintain or establish real-time WebSocket connections despite their account suspension.'}, {'type': 'paragraph', 'content': 'As a result, these users can continue receiving sensitive operational updates, including the contents of modified documents.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-287 (Improper Authentication), where the system fails to adequately verify the identity claims of users.'}, {'type': 'paragraph', 'content': 'The issue was fixed in Outline version 1.1.0.'}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves suspended users maintaining or establishing WebSocket connections despite account suspension, which indicates improper authentication in the WebSocket mechanism.
To detect this on your network or system, you can monitor WebSocket connections for active sessions from suspended user accounts.
Suggested commands include inspecting WebSocket traffic and user session states, for example using network monitoring tools like tcpdump or Wireshark to filter WebSocket traffic, or querying your application logs for WebSocket connection attempts from suspended users.
- Use tcpdump to capture WebSocket traffic: tcpdump -i <interface> -w websocket_traffic.pcap port 80 or port 443
- Analyze captured traffic with Wireshark to identify WebSocket connections from suspended user IPs or sessions.
- Check application logs for WebSocket authentication events related to suspended accounts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Outline to version 1.1.0 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider temporarily disabling WebSocket connections for suspended users or implementing additional access controls to prevent suspended accounts from establishing or maintaining WebSocket connections.
Review and audit user suspension processes to ensure suspended users lose all real-time access immediately.