CVE-2026-44695
Received Received - Intake
Outline Slack Integration OAuth State Validation Bypass

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the victim Outline user. This vulnerability is fixed in 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-44695
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
outline outline 1.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Outline service before version 1.7.1, specifically its Slack integration callback for the GET /auth/slack.post endpoint. The issue is that the OAuth state value used in the callback is unsigned and session-independent. This means that a third party who obtains a Slack OAuth code for the same Outline Slack client can trick a logged-in Outline user into completing the callback. As a result, the attacker can link the victim's Outline account to the attacker's Slack team_id and user_id.

Once linked, the attacker can use the Slack /outline search command as if they were the victim Outline user, effectively impersonating them within the Slack integration.

This vulnerability was fixed in Outline version 1.7.1.

Impact Analysis

This vulnerability can lead to unauthorized access and impersonation within the Outline service via its Slack integration. An attacker who exploits this flaw can link their Slack identity to a victim's Outline account and perform actions on behalf of the victim using the Slack /outline search command.

The impact includes potential exposure of sensitive documentation or information accessible through Outline, as the attacker can search and interact with the victim's Outline data through Slack.

The CVSS base score of 5.8 indicates a moderate severity, with high confidentiality impact but no impact on integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Outline service to version 1.7.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart