CVE-2026-41649

Source
https://cve.org/CVERecord?id=CVE-2026-41649
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41649.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41649
Aliases
  • GHSA-23jj-rp48-w7q7
Published
2026-04-28T20:11:28.283Z
Modified
2026-07-08T08:10:43.359666739Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Details

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the documents.info endpoint. Version 1.7.0 contains a patch.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41649.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/outline/outline

Affected ranges

Type
GIT
Repo
https://github.com/outline/outline
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:getoutline:outline:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.86.0"
        },
        {
            "fixed": "1.7.0"
        }
    ]
}

Affected versions

v0.*
v0.86.0
v0.87.0
v0.87.1
v0.87.2
v0.87.4
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v1.2.0-0
v1.4.0
v1.5.0
v1.6.0
v1.6.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41649.json"