CVE-2026-44695
Received Received - Intake

Outline Slack Integration OAuth State Validation Bypass

Vulnerability report for CVE-2026-44695, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description

Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the victim Outline user. This vulnerability is fixed in 1.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-07-11
AI Q&A
2026-05-12
EPSS Evaluated
2026-07-10
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
outline outline 1.7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Outline service before version 1.7.1, specifically its Slack integration callback for the GET /auth/slack.post endpoint. The issue is that the OAuth state value used in the callback is unsigned and session-independent. This means that a third party who obtains a Slack OAuth code for the same Outline Slack client can trick a logged-in Outline user into completing the callback. As a result, the attacker can link the victim's Outline account to the attacker's Slack team_id and user_id.

Once linked, the attacker can use the Slack /outline search command as if they were the victim Outline user, effectively impersonating them within the Slack integration.

This vulnerability was fixed in Outline version 1.7.1.

Impact Analysis

This vulnerability can lead to unauthorized access and impersonation within the Outline service via its Slack integration. An attacker who exploits this flaw can link their Slack identity to a victim's Outline account and perform actions on behalf of the victim using the Slack /outline search command.

The impact includes potential exposure of sensitive documentation or information accessible through Outline, as the attacker can search and interact with the victim's Outline data through Slack.

The CVSS base score of 5.8 indicates a moderate severity, with high confidentiality impact but no impact on integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Outline service to version 1.7.1 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart