CVE-2026-43890 Overview
Outline is a collaborative documentation service used by teams to manage internal knowledge bases. A broken authorization flaw [CWE-639] affects the subscriptions.create API endpoint in Outline versions 0.84.0 through 1.7.0. The endpoint validates only the collectionId parameter when both collectionId and documentId are submitted, while the underlying subscription is written against the unvalidated documentId. An authenticated attacker can create a subscription tied to a victim document on any team in the instance, bypassing read access controls. The issue is fixed in Outline 1.7.1.
Critical Impact
Authenticated attackers can attach subscriptions to documents they have no read access to, enabling cross-tenant access to documents across any team in the instance.
Affected Products
- Outline versions 0.84.0 through 1.7.0
- server/routes/api/subscriptions/subscriptions.ts route handler
- server/commands/subscriptionCreator.ts command
Discovery Timeline
- 2026-05-11 - CVE-2026-43890 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43890
Vulnerability Analysis
The vulnerability is a broken object-level authorization flaw in Outline's subscription API. The request schema in server/routes/api/subscriptions/schema.ts uses a .refine() validator requiring at least one of collectionId or documentId to be present. The schema does not enforce mutual exclusivity, so a request containing both parameters is schema-conforming and reaches the route handler.
Inside server/routes/api/subscriptions/subscriptions.ts, the authorization check at line 125 follows an if (collectionId) branch. When collectionId is supplied, the handler verifies access to the collection and proceeds without validating documentId. Control then passes to subscriptionCreator in server/commands/subscriptionCreator.ts, which persists the subscription record against the supplied documentId rather than the authorized collection.
The result is a subscription pinned to the attacker's user identity but referencing a document on any team within the instance, regardless of read permissions.
Root Cause
The root cause is inconsistent parameter handling between the authorization layer and the persistence layer. The route authorizes one identifier while the command writes against a different identifier, with no cross-check that the two refer to the same resource.
Attack Vector
An authenticated user submits a POST request to the subscriptions.create endpoint with both a collectionId the attacker legitimately controls and a documentId belonging to an unauthorized document. The handler validates the collection branch, the command writes the subscription against the victim document, and the attacker establishes a subscription record on a resource outside their permission scope.
Technical details are documented in the Outline GitHub Security Advisory GHSA-gf8h-cv9v-q4fw.
Detection Methods for CVE-2026-43890
Indicators of Compromise
- API requests to subscriptions.create containing both collectionId and documentId in the same payload.
- Subscription database records where the documentId does not belong to the same team or collection as the subscribing user.
- Audit log entries showing subscription creation by users without prior read events on the referenced document.
Detection Strategies
- Inspect application logs for POST /api/subscriptions.create requests that include both identifiers and flag them for review.
- Query the subscriptions table for entries linking users to documents across team boundaries.
- Correlate subscription creation timestamps with document access history to identify subscriptions without preceding authorized reads.
Monitoring Recommendations
- Enable verbose API request logging for the subscriptions route group on Outline servers.
- Forward Outline application logs to a centralized analytics platform and alert on cross-team subscription patterns.
- Track per-user rates of subscription creation and investigate accounts that produce sudden spikes.
How to Mitigate CVE-2026-43890
Immediate Actions Required
- Upgrade Outline to version 1.7.1 or later, where the authorization logic is corrected.
- Audit the subscriptions table for records created during the exposure window and remove unauthorized entries.
- Review API access logs for the subscriptions.create endpoint and identify accounts that submitted requests containing both collectionId and documentId.
Patch Information
The fix is included in Outline 1.7.1. Refer to the Outline GitHub Security Advisory GHSA-gf8h-cv9v-q4fw for patch details and upgrade instructions.
Workarounds
- Apply an upstream web application firewall rule that rejects subscriptions.create requests carrying both collectionId and documentId parameters.
- Restrict access to the Outline instance to trusted authenticated users until the upgrade is applied.
- Increase audit review frequency for subscription records and remove any anomalous entries pending the patch deployment.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

