CVE-2026-43890

Outline · Outline

Outline contains an authorization bypass vulnerability via a user-controlled key, allowing authenticated users to access unauthorized collaborative documentation.

Executive summary

An authorization bypass vulnerability in Outline collaborative documentation software allows authenticated users to access restricted data, posing a significant risk to information confidentiality.

Vulnerability

This is an authorization bypass vulnerability (CWE-639) where an attacker with low-level authenticated access can manipulate user-controlled keys to gain unauthorized access to documentation they are not permitted to view.

Business impact

The exploitation of this vulnerability results in a loss of confidentiality regarding sensitive documentation stored within the Outline platform. With a CVSS score of 7.7, this high-severity flaw could lead to the exposure of proprietary information, internal strategy documents, or sensitive user data, potentially resulting in severe reputational and competitive damage.

Remediation

Immediate Action: Upgrade Outline instances to version 1.7.1 or later immediately.

Proactive Monitoring: Review audit logs for unusual access patterns, specifically looking for users attempting to access document IDs or collaborative spaces outside of their assigned permissions.

Compensating Controls: Implement strict network access controls and ensure that the platform is not exposed to the public internet without an authenticated proxy or VPN.

Exploitation status

Public Exploit Available: Unknown — there is no confirmed public exploit or weaponized module available.

Analyst recommendation

Given the confirmed existence of a proof-of-concept and the high-severity impact on data confidentiality, organizations must prioritize upgrading their Outline deployments to version 1.7.1. Delaying this update exposes sensitive internal documentation to unauthorized access by authenticated users.