CVE-2026-43886 Overview
CVE-2026-43886 is a privilege escalation vulnerability in Outline, a collaborative documentation service. The flaw exists in the OAuthInterface.validateScope() function across versions 0.84.0 through 1.6.1. The function uses Array.some() to validate requested OAuth scopes, which causes it to accept the entire scope array when any single scope passes validation. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to unrestricted API access. The vulnerability is tracked under [CWE-269: Improper Privilege Management] and was fixed in Outline 1.7.0.
Critical Impact
A successful attack converts a benign read-only OAuth token into a fully privileged token capable of write, delete, and administrative API operations.
Affected Products
- Outline versions 0.84.0 through 1.6.1
- Self-hosted Outline deployments using OAuth integrations
- Outline instances exposing the OAuth authorization endpoint
Discovery Timeline
- 2026-05-11 - CVE-2026-43886 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43886
Vulnerability Analysis
The vulnerability stems from incorrect use of JavaScript's Array.some() method inside OAuthInterface.validateScope(). The Array.some() method returns true if at least one element in the array satisfies the predicate. When applied to OAuth scope validation, the function approves the full requested scope list when any single scope is valid.
An attacker exploits this by appending the wildcard * scope to a legitimate scope value. A request such as scope=read * passes validation because read is permitted, but the resulting token also carries the smuggled * scope. The wildcard grants unrestricted API access, including write, delete, and administrative operations.
The attack requires user interaction to authorize the OAuth flow, but the user only sees the benign scope description. The impact extends beyond the originating user because OAuth tokens can be used to modify shared workspace content.
Root Cause
The root cause is a logic error in scope set validation. Correct validation requires Array.every() semantics, where every requested scope must appear in the allowlist. By using Array.some(), the function fails open and trusts any scope list containing at least one approved entry.
Attack Vector
The attack is delivered through the standard OAuth authorization endpoint. An attacker registers an OAuth client, then crafts an authorization URL with a scope parameter combining a low-privilege scope and the wildcard. The vulnerable validator approves the request, and the issued access token bypasses scope restrictions on subsequent API calls.
No authenticated attacker privileges are required against Outline itself. The OAuth flow does require the victim to approve the application, which classifies this under user interaction required. See the GitHub Security Advisory for technical details published by the Outline maintainers.
Detection Methods for CVE-2026-43886
Indicators of Compromise
- OAuth authorization requests containing the wildcard * character inside the scope parameter
- Access tokens issued with scope strings such as read *, read_user *, or similar concatenations
- API write or delete operations performed by tokens originally provisioned for read-only access
- New OAuth applications registered shortly before anomalous administrative API calls
Detection Strategies
- Audit OAuth authorization logs for scope values containing characters outside the documented scope vocabulary
- Correlate token issuance scope with the subsequent API endpoints accessed by that token
- Alert on tokens that perform DELETE, POST, or admin namespace calls when their granted scope should permit only read
- Review database records for OAuthAuthorization entries with malformed or oversized scope arrays
Monitoring Recommendations
- Enable verbose logging on the /oauth/authorize and /oauth/token endpoints
- Forward Outline application logs to a central log platform and apply detections for wildcard scope patterns
- Monitor administrative actions, including user role changes and workspace deletions, attributed to OAuth tokens rather than session cookies
How to Mitigate CVE-2026-43886
Immediate Actions Required
- Upgrade Outline to version 1.7.0 or later, which replaces the faulty validation logic
- Revoke all OAuth access tokens and refresh tokens issued by vulnerable instances
- Audit registered OAuth applications and remove any that are unknown or unused
- Review recent administrative API activity for unauthorized changes performed via OAuth tokens
Patch Information
The vulnerability is fixed in Outline 1.7.0. The fix replaces the Array.some() call in OAuthInterface.validateScope() with a check that requires every requested scope to be valid. Refer to the GitHub Security Advisory GHSA-7732-6qrg-wjf4 for commit references and release notes.
Workarounds
- Disable third-party OAuth application registration until the upgrade is applied
- Restrict OAuth client creation to trusted administrators only
- Apply a reverse-proxy rule that rejects authorization requests where the scope parameter contains a space-delimited wildcard or unexpected characters
# Example nginx rule rejecting wildcard scopes at the proxy layer
location /oauth/authorize {
if ($arg_scope ~* "(^|[[:space:]+])\*") {
return 400;
}
proxy_pass http://outline_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

