Cyber Resilience

CVE-2025-64487

High

Published: 11 February 2026

Published
11 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0001 3.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64487 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getoutline Outline. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-64487 is a privilege escalation vulnerability in the Outline document management system, a service for collaborative documentation. The issue stems from inconsistent authorization checks between user and group membership management endpoints in versions prior to 1.1.0, allowing improper escalation of privileges. It is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and maps to CWE-269 (Improper Privilege Management).

An authenticated user with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction from a higher-privileged victim. Successful exploitation changes the scope to high, enabling the attacker to achieve high confidentiality impact by accessing sensitive data, with low integrity impact and no availability impact. This typically involves tricking a privileged user into performing an action that triggers the flawed authorization logic, resulting in unauthorized group membership changes or similar escalations.

The vulnerability is fixed in Outline version 1.1.0, as detailed in the project's release notes and security advisory. Security practitioners should prioritize updating to v1.1.0 or later to mitigate the risk, with relevant details available at the GitHub release page and GHSA advisory.

EU & UK References

Vulnerability details

Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in…

more

1.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via inconsistent authorization checks enabling unauthorized group membership changes.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24901Same product: Getoutline Outline
CVE-2023-54331Same product: Getoutline Outline
CVE-2026-41649Same product: Getoutline Outline
CVE-2026-33640Same product: Getoutline Outline
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269

Affected Assets

getoutline
outline
≤ 1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the privilege escalation by requiring timely remediation of the specific flaw through patching to Outline v1.1.0, which fixes the inconsistent authorization checks.

prevent

Mandates consistent enforcement of approved authorizations across endpoints, directly countering the inconsistent checks between user and group membership management that enable escalation.

prevent

Enforces least privilege to minimize the privileges available for escalation and limit the impact of improper privilege management as in CWE-269.

References