CVE-2026-43889
Received Received - Intake
Outline Collaboration Suite Document Exposure via Improper Share Permission Validation

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
outline outline 1.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Outline service before version 1.7.0. The shares.create API allowed both collectionId and documentId to be provided simultaneously. When the share was unpublished (published=false), the system only checked if the user had read access to each item but did not verify if the user had the proper "share" permission. Later, the shares.update API authorized publication if the user had share permission on either the collection or the document (an OR policy). This means an attacker who had share permission on one unrelated collection could publish a share that exposed a document they were not authorized to share, making that document publicly accessible to unauthenticated users.

Compliance Impact

This vulnerability allows an attacker to make an arbitrary document publicly accessible to unauthenticated users by exploiting improper permission checks in the shares.create and shares.update APIs. This unauthorized exposure of potentially sensitive or confidential information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and protected health information.

Specifically, the vulnerability could result in unauthorized disclosure of data, violating confidentiality requirements mandated by these standards. Organizations using affected versions of Outline prior to 1.7.0 may face increased risk of data breaches and regulatory penalties if sensitive data is exposed due to this flaw.

Impact Analysis

This vulnerability can lead to unauthorized public exposure of sensitive documents. An attacker with share permission on one collection could publish documents from other collections they should not have access to, making those documents accessible to anyone without authentication. This could result in data leakage and compromise of confidential information.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Outline service to version 1.7.0 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart