CVE-2026-41649
Received Received - Intake
Insecure Direct Object Reference in Outline Shares API Allows Unauthorized Document Access

Publication date: 2026-04-28

Last updated on: 2026-05-01

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41649
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getoutline outline From 0.86.0 (inc) to 1.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated attacker to access documents from other workspaces without proper authorization, potentially exposing sensitive or confidential information.

Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Executive Summary

This vulnerability exists in the Outline service's `shares.create` API endpoint in versions from 0.86.0 up to but not including 1.7.0. When a request includes both `collectionId` and `documentId`, the authorization logic only verifies access to the collection and ignores the document itself. This flaw allows an authenticated attacker to create a valid public share link for any document on the platform, even those belonging to other workspaces. The attacker can then retrieve the full contents of these documents using the `documents.info` endpoint. The issue is fixed in version 1.7.0.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive documents across different workspaces within the Outline platform. An attacker with valid authentication can generate public share links to documents they should not have access to and retrieve their full contents. This could result in exposure of confidential or private information, potentially leading to data breaches or information leakage.

Mitigation Strategies

The vulnerability exists in Outline versions starting from 0.86.0 up to but not including 1.7.0. The immediate step to mitigate this vulnerability is to upgrade Outline to version 1.7.0 or later, which contains a patch that fixes the insecure direct object reference issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41649. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart