CVE-2026-43888 Overview
CVE-2026-43888 is a path traversal vulnerability [CWE-22] in Outline, a collaborative documentation service. Versions prior to 1.7.0 contain a flaw in ZipHelper.extract that allows authenticated attackers to write files outside the extraction sandbox. The flaw stems from the trimFileAndExt helper truncating long filesystem paths to a bare filename, causing extracted files to land in the process working directory. Attackers can craft a malicious zip import that escapes the sandbox and persists after cleanup. The vulnerability is fixed in Outline 1.7.0.
Critical Impact
A malicious zip import can write attacker-controlled files outside the extraction sandbox, with high impact to integrity and availability of the Outline host process.
Affected Products
- Outline (collaborative documentation service)
- All versions prior to 1.7.0
- Self-hosted Outline deployments processing user-supplied zip imports
Discovery Timeline
- 2026-05-11 - CVE-2026-43888 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43888
Vulnerability Analysis
The vulnerability resides in ZipHelper.extract, which computes a destination path for each entry in an uploaded zip archive. Outline joins the extraction sandbox path with the entry's nested path, then passes the result through trimFileAndExt. That helper is designed to truncate filenames that exceed MAX_PATH_LENGTH (4096 bytes), but it invokes path.basename on its input during truncation.
When the joined path exceeds the limit, trimFileAndExt silently discards every directory component and returns only the final filename. fs.createWriteStream then opens that filename relative to the process working directory rather than the intended sandbox. The extracted file persists on disk because cleanupExtractedData only removes the temporary extraction directory, not files outside it.
Root Cause
The root cause is unsafe path normalization. trimFileAndExt was implemented as a filename helper but is applied to full filesystem paths. When the path exceeds MAX_PATH_LENGTH, the basename operation strips the sandbox prefix and produces an unanchored relative filename.
Attack Vector
An authenticated attacker with permission to import zip archives crafts an entry whose nested path is long enough to push the joined filesystem path beyond 4096 bytes. Outline then writes the entry's contents to a file in the Node.js process working directory. Because cleanup only targets the temporary extraction folder, the dropped file remains after import completes.
No verified public exploit code is available. Refer to the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-43888
Indicators of Compromise
- Unexpected files appearing in the Outline process working directory after zip import operations
- Zip archive uploads containing entries with abnormally long nested path components (approaching or exceeding 4096 bytes)
- File writes by the Outline Node.js process to paths outside the configured temporary extraction directory
Detection Strategies
- Inspect application logs for import operations that reference zip entries with deeply nested directory structures
- Audit the Outline server working directory for files created during or shortly after import events
- Monitor fs.createWriteStream activity through process-level file integrity monitoring on hosts running Outline
Monitoring Recommendations
- Enable filesystem auditing on the Outline working directory and parent paths
- Alert on any file creation event by the Outline process outside the designated extraction sandbox
- Retain zip import artifacts for forensic review when anomalous file writes are detected
How to Mitigate CVE-2026-43888
Immediate Actions Required
- Upgrade Outline to version 1.7.0 or later, which contains the fix for ZipHelper.extract
- Restrict zip import functionality to trusted users until the patch is applied
- Audit the Outline process working directory for unexpected files written during the exposure window
Patch Information
The vulnerability is fixed in Outline 1.7.0. The patch corrects path handling in ZipHelper.extract so that entries with oversized nested paths do not bypass the extraction sandbox. Review the GitHub Security Advisory GHSA-hw32-2v7j-mgqc for full remediation details.
Workarounds
- Disable the document import feature in self-hosted Outline deployments until upgrading
- Run the Outline process under a dedicated low-privilege user with a working directory that contains no sensitive files
- Apply a reverse proxy rule or upload size limit that rejects zip archives containing excessively long internal paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

