CVE-2026-24901 HIGH

CVE-2026-24901: Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts

Vendor Outline
Product outline
Weakness CWE-639 · IDOR
Published March 17, 2026
Last update March 17, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 17, 2026 Record updated

Related vulnerabilities

04Related CVE