CVE-2026-24901
Published: 17 March 2026
Summary
CVE-2026-24901 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Getoutline Outline. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly preventing the IDOR by requiring ownership validation in the document restoration logic.
SI-10 requires validation of inputs such as document IDs during restoration to ensure only authorized team members can access and restore others' deleted drafts.
SI-2 ensures identification and timely remediation of flaws like the ownership bypass, such as patching to Outline version 1.4.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in Outline web app (public-facing service) directly enables remote exploitation for unauthorized access to/manipulation of data in documentation repository plus effective privilege escalation via ownership bypass.
NVD Description
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to…
more
other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.
Deeper analysisAI
CVE-2026-24901 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the Outline collaborative documentation service in versions prior to 1.4.0. The flaw resides in the document restoration logic, where ownership validation is bypassed, enabling unauthorized access to deleted drafts. Outline, published on March 17, 2026, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low complexity and privileges required.
Any authenticated team member can exploit this vulnerability remotely without user interaction. By targeting the restore process, attackers can unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. This grants access to sensitive private information and effectively locks the original owner out of their content.
The GitHub security advisory (GHSA-gmr5-43f5-79f5) confirms that upgrading to Outline version 1.4.0 resolves the issue by addressing the ownership validation bypass in the restoration logic. Security practitioners should prioritize patching affected instances to prevent unauthorized data access and ownership hijacking.
Details
- CWE(s)