Broken Authorization in Outline Documentation Service
CVE-2026-43890

7.7HIGH

Key Information:

Vendor: Outline
Status: Outline
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43890?

The Outline Documentation Service suffers from a vulnerability in its subscriptions.create API endpoint, where improper authorization checks allow attackers to create subscriptions tied to documents they should not have access to. Specifically, when both the collectionId and documentId are provided, the system fails to verify the documentId, leading to unauthorized access. This oversight permits malicious users to link their account to victim documents, violating intended access controls. The vulnerability has been addressed in version 1.7.1, highlighting the importance of strict validation in API interactions.

Affected Version(s)

outline >= 0.82.1, < 1.7.1

References

https://github.com/outline/outline/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43890 Data

JSON