CVE-2026-41649
Insecure Direct Object Reference in Outline Shares API Allows Unauthorized Document Access
Publication date: 2026-04-28
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getoutline | outline | From 0.86.0 (inc) to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Outline service's `shares.create` API endpoint in versions from 0.86.0 up to but not including 1.7.0. When a request includes both `collectionId` and `documentId`, the authorization logic only verifies access to the collection and ignores the document itself. This flaw allows an authenticated attacker to create a valid public share link for any document on the platform, even those belonging to other workspaces. The attacker can then retrieve the full contents of these documents using the `documents.info` endpoint. The issue is fixed in version 1.7.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to access documents from other workspaces without proper authorization, potentially exposing sensitive or confidential information.
Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive documents across different workspaces within the Outline platform. An attacker with valid authentication can generate public share links to documents they should not have access to and retrieve their full contents. This could result in exposure of confidential or private information, potentially leading to data breaches or information leakage.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in Outline versions starting from 0.86.0 up to but not including 1.7.0. The immediate step to mitigate this vulnerability is to upgrade Outline to version 1.7.0 or later, which contains a patch that fixes the insecure direct object reference issue.