CVE-2025-64487
Published: 11 February 2026
Summary
CVE-2025-64487 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getoutline Outline. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-64487 is a privilege escalation vulnerability in the Outline document management system, a service for collaborative documentation. The issue stems from inconsistent authorization checks between user and group membership management endpoints in versions prior to 1.1.0, allowing improper escalation of privileges. It is rated with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and maps to CWE-269 (Improper Privilege Management).
An authenticated user with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction from a higher-privileged victim. Successful exploitation changes the scope to high, enabling the attacker to achieve high confidentiality impact by accessing sensitive data, with low integrity impact and no availability impact. This typically involves tricking a privileged user into performing an action that triggers the flawed authorization logic, resulting in unauthorized group membership changes or similar escalations.
The vulnerability is fixed in Outline version 1.1.0, as detailed in the project's release notes and security advisory. Security practitioners should prioritize updating to v1.1.0 or later to mitigate the risk, with relevant details available at the GitHub release page and GHSA advisory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207025
Vulnerability details
Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in…
more
1.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via inconsistent authorization checks enabling unauthorized group membership changes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the privilege escalation by requiring timely remediation of the specific flaw through patching to Outline v1.1.0, which fixes the inconsistent authorization checks.
Mandates consistent enforcement of approved authorizations across endpoints, directly countering the inconsistent checks between user and group membership management that enable escalation.
Enforces least privilege to minimize the privileges available for escalation and limit the impact of improper privilege management as in CWE-269.