Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43889

CVE-2026-43889: Outline Auth Bypass Vulnerability

CVE-2026-43889 is an authentication bypass flaw in Outline's shares API that allows attackers to publish and expose arbitrary documents without proper authorization. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-43889 Overview

CVE-2026-43889 is a broken authorization vulnerability [CWE-863] in Outline, an open-source collaborative documentation service. Versions prior to 1.7.0 improperly enforce permission checks in the shares.create API. The endpoint accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access rather than the required share permission. An authenticated attacker with share permission on any single collection can leverage this flaw to publish an arbitrary document as a public share. The resulting share is accessible to unauthenticated users on the internet, exposing confidential documents. The maintainers fixed the issue in version 1.7.0.

Critical Impact

An attacker with low-privileged access to one collection can expose any document in the Outline instance to unauthenticated users on the public internet.

Affected Products

  • Outline collaborative documentation service
  • All Outline versions prior to 1.7.0
  • Self-hosted and managed Outline deployments using the shares API

Discovery Timeline

  • 2026-05-11 - CVE-2026-43889 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43889

Vulnerability Analysis

The vulnerability resides in the shares.create API endpoint of Outline. The endpoint accepts both collectionId and documentId parameters in a single request. When the request specifies published=false, the authorization logic only validates read access to each referenced resource. The mandatory share permission check is skipped during share creation.

A follow-up call to shares.update then publishes the share. The update endpoint authorizes publication using an OR policy: the caller must have share permission on either the collection or the document. An attacker who legitimately holds share permission on one unrelated collection satisfies the OR condition. The publication succeeds even though the target document belongs to a different collection the attacker cannot share.

The outcome is a public share URL that exposes a document the attacker has no legitimate permission to disclose. Unauthenticated users can read the document content through the share link.

Root Cause

The root cause is inconsistent enforcement of authorization across two API endpoints that operate on the same resource. The shares.create endpoint omits the share permission check when published=false, and shares.update applies an overly permissive OR policy across the collection and document scopes. The combination allows attackers to chain low-privilege actions into a confidentiality breach.

Attack Vector

Exploitation requires an authenticated user account with share permission on at least one collection in the target Outline instance. The attacker calls shares.create with the target documentId and an unrelated collectionId they control, setting published=false to bypass the share check. The attacker then calls shares.update to set published=true, producing a public share URL for the targeted document. No user interaction from the document owner is required.

The vulnerability manifests in the shares.create and shares.update authorization logic. See the GitHub Security Advisory for additional technical context.

Detection Methods for CVE-2026-43889

Indicators of Compromise

  • Unexpected entries in the Outline shares table where the document owner did not initiate the share
  • Public share URLs referencing documents whose owners have no record of publishing them
  • API audit log entries showing shares.create calls with mismatched collectionId and documentId parameters
  • shares.update calls toggling published to true shortly after a shares.create request from the same user

Detection Strategies

  • Review Outline application audit logs for shares.create requests that include both collectionId and documentId parameters in the same call
  • Correlate share creation events with the document owner identity to surface shares created by users who do not own or collaborate on the target document
  • Alert on rapid sequences of shares.create followed by shares.update with published=true from the same actor

Monitoring Recommendations

  • Ingest Outline application and reverse-proxy access logs into a centralized log platform for retention and search
  • Monitor outbound public share URL access patterns for traffic to documents containing sensitive classifications
  • Track changes to the shares table and alert on bulk creation by a single account

How to Mitigate CVE-2026-43889

Immediate Actions Required

  • Upgrade all Outline deployments to version 1.7.0 or later without delay
  • Audit existing public shares in the database and revoke any that cannot be attributed to a legitimate document owner
  • Review user accounts with collection-level share permissions and remove unnecessary grants

Patch Information

The vulnerability is fixed in Outline version 1.7.0. The fix corrects the authorization logic in shares.create to enforce the share permission regardless of the published flag, and aligns the shares.update policy to verify share permission against the actual document scope. Refer to the GitHub Security Advisory GHSA-rg4j-pmch-w6pm for release details.

Workarounds

  • No vendor-supplied workaround is available; upgrading to 1.7.0 is the required remediation
  • As an interim measure, restrict share permissions on collections to a minimal set of trusted administrators
  • Disable public sharing at the instance level if the feature is not required by business workflows
bash
# Upgrade Outline to the patched release
docker pull outlinewiki/outline:1.7.0
docker stop outline && docker rm outline
docker run -d --name outline --env-file .env outlinewiki/outline:1.7.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.