CVE-2026-54573
Deferred Deferred - Pending Action
Authentication Bypass via URL Fragment in Outline

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54573
EUVD
EUVD-2026-39466
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
outline outline 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows privilege escalation by bypassing API key scope restrictions, enabling unauthorized actions such as creating documents with a read-only key.

Such unauthorized access and privilege escalation can lead to violations of data protection and access control requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance by allowing unauthorized data modification or access within the Outline service.

Executive Summary

CVE-2026-54573 is an authorization bypass vulnerability in the Outline application caused by how the AuthenticationHelper.canAccess function processes URLs. The function uses ctx.originalUrl to check if an API key or OAuth token has the required permissions by extracting the last segment of the URL. However, it does not remove the URL fragment (the part after #). Since the routing system (Koa's router) ignores the fragment and routes based on ctx.path, an attacker can append a fragment containing a permitted path to a restricted endpoint. This tricks the system into allowing unauthorized access by evaluating the permitted path in the fragment instead of the actual restricted endpoint, leading to privilege escalation.

Impact Analysis

This vulnerability allows an attacker to bypass API key scope restrictions and escalate privileges. For example, an attacker with a read-only API key could perform restricted actions like creating documents, which should normally be disallowed. This unauthorized access can lead to data manipulation, unauthorized changes, and potential compromise of the collaborative documentation managed by Outline.

Detection Guidance

This vulnerability can be detected by monitoring API requests that include URL fragments (the part after a #) appended to restricted endpoints. Specifically, look for requests where the URL contains a fragment that references a permitted path while the main path is a restricted endpoint.

For example, detecting requests similar to: POST /api/documents.create#foo/api/documents.info where the fragment allows bypassing scope restrictions.

You can use network monitoring tools or web server logs to search for such patterns.

  • Using grep on server logs to find URLs with fragments on restricted endpoints, e.g.:
  • grep -E "/api/documents\.create#" /path/to/access.log
  • Or using tools like tcpdump or Wireshark to capture HTTP requests and filter for URLs containing '#' characters on restricted API endpoints.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Outline service to version 1.8.0 or later, where the issue is fixed.

Until the upgrade can be applied, consider implementing network-level controls to block or monitor requests containing URL fragments on restricted API endpoints.

Additionally, review API key scopes and audit usage to detect any unauthorized privilege escalations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart