CVE-2026-41649 Overview
CVE-2026-41649 is an Insecure Direct Object Reference (IDOR) vulnerability in Outline, a popular collaborative documentation service. The vulnerability exists in the shares.create API endpoint in versions 0.86.0 through 1.6.x, where improper authorization logic allows authenticated attackers to generate public share links for any document on the platform, including those belonging to other workspaces.
When both collectionId and documentId parameters are provided in a share creation request, the authorization logic only validates access to the collection while completely ignoring document-level permissions. This oversight enables unauthorized access to sensitive documents across the entire platform, as attackers can retrieve full document contents via the documents.info endpoint using the generated share link.
Critical Impact
Authenticated attackers can access and share any document on the platform regardless of workspace boundaries, leading to complete confidentiality breach of sensitive documentation.
Affected Products
- Outline versions 0.86.0 through 1.6.x
- Self-hosted Outline deployments
- Outline cloud instances running vulnerable versions
Discovery Timeline
- 2026-04-28 - CVE CVE-2026-41649 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-41649
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a type of Insecure Direct Object Reference flaw. The core issue lies in how the shares.create API endpoint handles authorization when creating public share links for documents.
When a request includes both collectionId and documentId parameters, the backend authorization middleware only validates whether the requesting user has access to the specified collection. The document ID is accepted without verification, allowing an attacker to specify any document ID on the platform—including documents from other workspaces or restricted collections they don't have access to.
The impact is severe from a confidentiality perspective: an authenticated user with minimal privileges can systematically enumerate and exfiltrate documents from any workspace on the platform. The vulnerability requires network access and low-privilege authentication, but once exploited, it allows complete bypass of document-level access controls with no user interaction required.
Root Cause
The root cause stems from incomplete authorization logic in the shares.create endpoint. The authorization check validates collection-level access but fails to verify that the requesting user has legitimate access to the specific document being shared. This creates a classic IDOR condition where user-supplied document identifiers are trusted without proper authorization validation.
The flawed logic assumes that if a user can access a collection, they should be able to share any document—but the system accepts document IDs that may not belong to that collection or may be from entirely different workspaces.
Attack Vector
The attack is network-based and requires authentication with any valid user account on the Outline platform. An attacker follows these steps:
- Authenticate to the Outline instance with any valid credentials
- Send a POST request to the shares.create endpoint
- Include a collectionId for a collection they have access to
- Include a documentId for any document on the platform (obtained through enumeration or insider knowledge)
- Receive a valid public share link for the target document
- Access full document contents via the documents.info endpoint using the generated share token
The security patch addresses rate limiting and JWT verification to improve overall API security:
import { ApiKey, OAuthAuthentication } from "@server/models";
import Redis from "@server/storage/redis";
import type { AppContext } from "@server/types";
-import { getJWTPayload } from "@server/utils/jwt";
+import { getUserForJWT } from "@server/utils/jwt";
import RateLimiter from "@server/utils/RateLimiter";
import { parseAuthentication } from "./authentication";
/**
* Returns a unique identifier for rate limiting based on the request context.
- * Combines the user ID from the JWT payload with the client's IP address for
- * authenticated requests, otherwise falls back to the client's IP address alone.
+ * Keys on the user id (so users behind a shared NAT don't share a bucket) when
+ * a token can be associated with a user, otherwise falls back to the client's
+ * IP address.
*
* @param ctx The application context.
* @returns A string identifier for rate limiting.
*/
-function getRateLimiterIdentifier(ctx: AppContext): string {
+async function getRateLimiterIdentifier(ctx: AppContext): Promise<string> {
try {
const { token } = parseAuthentication(ctx);
- if (token && !ApiKey.match(token) && !OAuthAuthentication.match(token)) {
- // Note: JWT is not validated here which would require a DB request,
- // just decoded to extract the user ID for separating rate limits by user
- // on shared networks.
- const payload = getJWTPayload(token);
- if (payload.id) {
- return `user:${payload.id}:${ctx.ip}`;
Source: GitHub Commit Details
Detection Methods for CVE-2026-41649
Indicators of Compromise
- Unusual volume of share link creation requests from a single user or IP address
- API requests to shares.create containing document IDs from workspaces the user doesn't belong to
- Multiple failed or anomalous documents.info requests using share tokens
- Audit log entries showing share creation for documents the user has never viewed or edited
Detection Strategies
- Monitor the shares.create API endpoint for requests where documentId doesn't match documents within the specified collectionId
- Implement correlation rules to detect users creating share links for documents they've never accessed before
- Alert on high-frequency share creation activity that exceeds normal usage patterns
- Review access logs for cross-workspace document access attempts
Monitoring Recommendations
- Enable detailed API logging for all share-related endpoints including shares.create and documents.info
- Configure SIEM rules to correlate share creation events with user workspace membership
- Implement anomaly detection for share link generation frequency per user
- Set up alerts for access to sensitive documents via share tokens from unusual IP addresses or geolocations
How to Mitigate CVE-2026-41649
Immediate Actions Required
- Upgrade Outline to version 1.7.0 or later immediately
- Audit existing share links created during the vulnerable period for potential unauthorized access
- Review API access logs for suspicious share creation patterns
- Consider revoking all share links and regenerating only those that are legitimate
Patch Information
The vulnerability has been addressed in Outline version 1.7.0. The fix implements proper authorization checks to verify that the requesting user has legitimate access to the specific document before generating a share link. The patch ensures that both collection-level and document-level permissions are validated.
Review the GitHub Security Advisory GHSA-23jj-rp48-w7q7 for complete details. The release notes for v1.7.0 contain the security fix.
Workarounds
- Temporarily disable the document sharing feature by restricting access to the shares.create endpoint at the network or application level
- Implement additional authorization middleware to validate document access before processing share requests
- Use network-level access controls to limit API access to trusted IP ranges
- Consider placing vulnerable instances behind a web application firewall (WAF) with rules to inspect share creation requests
# Example: Nginx configuration to temporarily block share creation endpoint
location /api/shares.create {
# Temporarily deny access to vulnerable endpoint
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

