Which versions of Outline are affected by CVE-2026-33640?

Outline collaborative documentation service versions 0.86.0 through 1.5.x contain a critical account takeover vulnerability enabling unauthenticated attackers to bypass email OTP authentication…. A patch is available.

How to fix or mitigate CVE-2026-33640?

Within 24 hours: inventory all Outline deployments and confirm installed versions. Within 7 days: upgrade all instances to version 1.6.0 or later (latest stable release containing the fix). Within 30 days: audit access logs for authentication anomalies between deployment date and patch application; reset passwords for all users as a precaution.

Outline CVE-2026-33640

Q: What is the CVSS score of CVE-2026-33640?

CVE-2026-33640 has a CVSS 4.0 base score of 9.1 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-16415 CRITICAL

Improper Restriction of Excessive Authentication Attempts (CWE-307)

2026-03-26 GitHub_M

Authentication Bypass Outline

9.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:48 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.6.0

EUVD ID Assigned

Mar 26, 2026 - 21:16 euvd

EUVD-2026-16415

Analysis Generated

Mar 26, 2026 - 21:16 vuln.today

CVE Published

Mar 26, 2026 - 20:56 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue.

AnalysisAI

Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated attackers to brute force Email OTP codes due to insufficient validation logic combined with rate limiter bypass. Attackers can submit unlimited OTP attempts within the code's validity window, compromising user accounts. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access Outline email OTP login

Delivery

Bypass rate limiter restrictions

Exploit

Brute force OTP code submissions

Execution

Guess valid code within lifetime

Impact

Achieve account takeover