CVE-2025-64487
Published: 11 February 2026
Summary
CVE-2025-64487 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getoutline Outline. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via inconsistent authorization checks enabling unauthorized group membership changes.
NVD Description
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in…
more
1.1.0.
Deeper analysisAI
CVE-2025-64487 is a privilege escalation vulnerability in the Outline document management system, a service for collaborative documentation. The issue stems from inconsistent authorization checks between user and group membership management endpoints in versions prior to 1.1.0, allowing improper escalation of privileges. It is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and maps to CWE-269 (Improper Privilege Management).
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction from a higher-privileged victim. Successful exploitation changes the scope to high, enabling the attacker to achieve high confidentiality impact by accessing sensitive data, with low integrity impact and no availability impact. This typically involves tricking a privileged user into performing an action that triggers the flawed authorization logic, resulting in unauthorized group membership changes or similar escalations.
The vulnerability is fixed in Outline version 1.1.0, as detailed in the project's release notes and security advisory. Security practitioners should prioritize updating to v1.1.0 or later to mitigate the risk, with relevant details available at the GitHub release page and GHSA advisory.
Details
- CWE(s)