Can you explain this vulnerability to me?

CVE-2026-28506 is a moderate severity information disclosure vulnerability in the Outline application versions prior to 1.5.0. It affects the events.list API endpoint, which is used to retrieve activity logs. The flaw is in the filtering logic of this endpoint, allowing any authenticated user to access activity events related to documents that have no collection ID, such as Private Drafts and Deleted Documents, regardless of their permissions on those documents.

Although the document content itself is not exposed, sensitive metadata is leaked. This includes Document IDs, user activity timestamps, and in some cases, the Document Title of permanently deleted documents. This leakage undermines the security provided by the randomness of UUIDs used for document IDs, making it easier to exploit high-severity Insecure Direct Object Reference (IDOR) attacks, such as those in the documents.restore functionality.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by leaking sensitive metadata related to documents you may not have permission to access. Specifically, it allows an attacker to retrieve Document IDs, user activity timestamps, and document titles of permanently deleted drafts.

• User enumeration and tracking of admin activity on private drafts.
• Exposure of sensitive metadata, including document titles of permanently deleted drafts.
• Facilitation of high-severity IDOR attacks by revealing valid document IDs, lowering the attack complexity.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to the events.list endpoint in the Outline application, especially those made by authenticated users retrieving activity logs without specific filters.'}, {'type': 'paragraph', 'content': 'A proof of concept involves a regular user successfully retrieving document IDs and titles of permanently deleted private drafts, which should normally be inaccessible.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can analyze logs for unusual access patterns to the events.list API endpoint where collectionId is null and verify if activity events related to private drafts or deleted documents are being returned.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example curl commands to test the vulnerability might look like:'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <user_token>" https://<outline-instance>/api/events.list'}, {'type': 'list_item', 'content': 'Check the response for events related to documents with no collectionId (e.g., private drafts or deleted documents).'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools can be used to inspect traffic to the events.list endpoint for unauthorized access to sensitive metadata.'}] [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation is to upgrade the Outline application to version 1.5.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the events.list API endpoint to only trusted users or roles, and monitor for suspicious activity involving retrieval of events related to documents without a collection.

Implement additional access controls or filters on the server side to ensure that users can only retrieve activity events for documents they have permissions to access.

Useful 0 Not Useful 0