CVE-2026-41649
Published: 28 April 2026
Summary
CVE-2026-41649 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Getoutline Outline. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for logical access to resources like documents, directly addressing the failure to check documentId access in the shares.create endpoint.
AC-25 mandates a reference monitor to enforce access control policies without bypass, preventing IDOR exploitation via flawed authorization logic.
AC-24 requires explicit authorization decisions for specific system resources such as documents, ensuring collection access does not grant unauthorized document share creation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in shares.create API bypasses document authorization checks, enabling unauthorized retrieval of document contents from the Outline documentation service (an information repository).
NVD Description
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization…
more
logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
Deeper analysisAI
CVE-2026-41649 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting the Outline collaborative documentation service. The issue resides in the `shares.create` API endpoint for versions starting from 0.86.0 up to but not including 1.7.0. When both `collectionId` and `documentId` are supplied in a request, the authorization logic validates access only to the collection while bypassing checks for the specific document, enabling unauthorized manipulation of share links.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving a scoped impact (S:C) that results in high confidentiality loss (C:H). By providing a valid `collectionId` they have access to alongside any arbitrary `documentId`—even from other workspaces—they can generate a valid public share link. This link allows retrieval of the full document contents via the `documents.info` endpoint, with a CVSS v3.1 base score of 7.7.
Outline addressed the vulnerability in version 1.7.0, as detailed in the project's security advisory (GHSA-23jj-rp48-w7q7), release notes, and the patching commit (1b91a295e10f58a1088c54f533773788325ff460). Security practitioners should upgrade to 1.7.0 or later to mitigate the issue.
Details
- CWE(s)