Insecure Direct Object Reference in Outline Service Allows Unauthorized Document Access
CVE-2026-41649

7.7HIGH

Key Information:

Vendor

Outline

Status
Outline
Vendor
CVE Published:
28 April 2026

What is CVE-2026-41649?

Outline, a collaborative documentation service, has been identified with an insecure direct object reference vulnerability in the shares.create API endpoint. This issue, present in versions 0.86.0 through 1.6.9, allows an authenticated attacker to generate valid public share links for documents belonging to other workspaces without proper authorization checks. Specifically, the vulnerability arises when both collectionId and documentId are included in the request. The system's authorization logic only verifies access to the collection, failing to check permissions against the specific document, thus exposing sensitive document content through the documents.info endpoint. The issue has been addressed in version 1.7.0.

Affected Version(s)

outline >= 0.86.0, < 1.7.0

References

https://github.com/outline/outline/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/outline/outline/commit/1b91a295e10f58a...
x_refsource_MISC
https://github.com/outline/outline/releases/tag/v1.7.0
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.