{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41649", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-21T23:58:43.802Z", "datePublished": "2026-04-28T20:11:28.283Z", "dateUpdated": "2026-04-28T20:11:28.283Z"}, "containers": {"cna": {"title": "Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7"}, {"name": "https://github.com/outline/outline/commit/1b91a295e10f58a1088c54f533773788325ff460", "tags": ["x_refsource_MISC"], "url": "https://github.com/outline/outline/commit/1b91a295e10f58a1088c54f533773788325ff460"}, {"name": "https://github.com/outline/outline/releases/tag/v1.7.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/outline/outline/releases/tag/v1.7.0"}], "affected": [{"vendor": "outline", "product": "outline", "versions": [{"version": ">= 0.86.0, < 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-28T20:11:28.283Z"}, "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch."}], "source": {"advisory": "GHSA-23jj-rp48-w7q7", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch."}], "id": "CVE-2026-41649", "lastModified": "2026-04-28T22:16:49.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-28T22:16:49.747", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/outline/outline/commit/1b91a295e10f58a1088c54f533773788325ff460"}, {"source": "security-advisories@github.com", "url": "https://github.com/outline/outline/releases/tag/v1.7.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T01:16:18.977011+00:00", "value": {"mitigation_remediation": ["Upgrade Outline to version 1.7.0 or later, which removes the IDOR bug.", "Restrict the shares.create endpoint to administrators only until the upgrade can be applied, ensuring only trusted users can create share links.", "Review and revoke any existing public share links that were created before the patch, and monitor for new unauthorized share creations."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized disclosure of private documents"}, "threat_synthesis": {"affected_systems": "The affected product is Outline, v0.86.0 through v1.6.x (inclusive). The fix was introduced in v1.7.0. Any deployment running a version in that range without the patch is susceptible.", "description_and_impact": "In Outline\u2019s shares.create API, versions 0.86.0 to 1.6.x allow an authenticated user to pass both collectionId and documentId. The authorization check validates only the collection, ignoring the document, enabling the attacker to generate a legitimate public share link for any document, even those in other workspaces. The resulting link can be used to retrieve full document content via documents.info, effectively disclosing sensitive information.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity vulnerability, and the EPSS score is unavailable, so the current exploitation probability is unknown. The vulnerability is not listed in KEV, suggesting no widespread exploitation reported. Attackers need authenticated access to the Outline instance; once authenticated, they can invoke shares.create to create unauthorized share links. Because the abuse does not require elevated privileges beyond ordinary authenticated users, the risk surface is broad. Organizations should treat it as a moderate-to-high risk and act promptly."}}}}, "created": "2026-04-29T01:30:06.141433+00:00", "updated": "2026-04-29T01:30:06.141456+00:00", "vendors": []}