CVE-2026-43889 MEDIUM

CVE-2026-43889: Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share

Vendor Outline

Product outline

Weakness CWE-863 · Incorrect authorization

Published May 11, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-43889 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-43889: Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share

01Description

02Disclosure timeline

03References

04Related CVE