CVE-2026-43889
Outline Collaboration Suite Document Exposure via Improper Share Permission Validation
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| outline | outline | 1.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Outline service before version 1.7.0. The shares.create API allowed both collectionId and documentId to be provided simultaneously. When the share was unpublished (published=false), the system only checked if the user had read access to each item but did not verify if the user had the proper "share" permission. Later, the shares.update API authorized publication if the user had share permission on either the collection or the document (an OR policy). This means an attacker who had share permission on one unrelated collection could publish a share that exposed a document they were not authorized to share, making that document publicly accessible to unauthenticated users.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized public exposure of sensitive documents. An attacker with share permission on one collection could publish documents from other collections they should not have access to, making those documents accessible to anyone without authentication. This could result in data leakage and compromise of confidential information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Outline service to version 1.7.0 or later, where the issue has been fixed.