Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.
Analysis
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafte
Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with eleva
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and chang
Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attack
Outline is an open source, collaborative document editor. Rated medium severity (CVSS 5.4), this vulnerability is remote
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. Rated medium severity (CVSS 5.
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. Rated medium severity (CVSS 5
Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated at
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extract
An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticate
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API end
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29330