Brute Force Vulnerability in Outline Documentation Service
CVE-2026-33640

9.1CRITICAL

Key Information:

Vendor: Outline
Status: Outline
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33640?

Outline, a collaborative documentation service, is vulnerable due to its Email OTP login mechanism, which does not invalidate OTP codes following multiple invalid attempts. Instead, it relies on a rate limiter to control submission attempts. This design flaw allows attackers to exploit bypasses in the rate limiter, potentially enabling them to submit numerous OTP codes within the valid time frame. This vulnerability poses a significant risk of account takeover for users. The issue has been addressed and resolved in Outline version 1.6.0.

Affected Version(s)

outline >= 0.86.0, < 1.6.0

References

https://github.com/outline/outline/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/outline/outline/releases/tag/v1.6.0

x_refsource_MISC

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33640 Data

JSON