CVE-2026-43890
Outline · Outline
Outline contains an authorization bypass vulnerability via a user-controlled key, allowing authenticated users to access unauthorized collaborative documentation.
Executive summary
An authorization bypass vulnerability in Outline collaborative documentation software allows authenticated users to access restricted data, posing a significant risk to information confidentiality.
Vulnerability
This is an authorization bypass vulnerability (CWE-639) where an attacker with low-level authenticated access can manipulate user-controlled keys to gain unauthorized access to documentation they are not permitted to view.
Business impact
The exploitation of this vulnerability results in a loss of confidentiality regarding sensitive documentation stored within the Outline platform. With a CVSS score of 7.7, this high-severity flaw could lead to the exposure of proprietary information, internal strategy documents, or sensitive user data, potentially resulting in severe reputational and competitive damage.
Remediation
Immediate Action: Upgrade Outline instances to version 1.7.1 or later immediately.
Proactive Monitoring: Review audit logs for unusual access patterns, specifically looking for users attempting to access document IDs or collaborative spaces outside of their assigned permissions.
Compensating Controls: Implement strict network access controls and ensure that the platform is not exposed to the public internet without an authenticated proxy or VPN.
Exploitation status
Public Exploit Available: Unknown — there is no confirmed public exploit or weaponized module available.
Analyst recommendation
Given the confirmed existence of a proof-of-concept and the high-severity impact on data confidentiality, organizations must prioritize upgrading their Outline deployments to version 1.7.1. Delaying this update exposes sensitive internal documentation to unauthorized access by authenticated users.