CVE-2026-43889 | THREATINT

Description

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-11 | Updated 2026-05-12 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 1.7.0

affected

References

github.com/...utline/security/advisories/GHSA-rg4j-pmch-w6pm exploit

github.com/...utline/security/advisories/GHSA-rg4j-pmch-w6pm

cve.org (CVE-2026-43889)

nvd.nist.gov (CVE-2026-43889)

Download JSON