Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with low complexity; PR:L because a valid API key is required; integrity impact is Low as unauthorized writes are possible but scoped within the application; no confidentiality or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.
AnalysisAI
API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The AuthenticationHelper.canAccess function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid but limited-scope API key or OAuth token for the target Outline instance (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L reflects a real but bounded risk: the attack is network-reachable with low complexity and requires only a valid API key (PR:L), but the integrity impact is rated Low (VI:L) and there is no confidentiality or availability dimension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker is issued a read-only API key scoped to `documents.info` for an Outline integration. They craft a request to the restricted endpoint `/api/documents.create#foo/api/documents.info` with their read-only API key. … |
| Remediation | Vendor-released patch: Outline 1.8.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafte
Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with eleva
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and chang
Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attack
Outline is an open source, collaborative document editor. Rated medium severity (CVSS 5.4), this vulnerability is remote
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. Rated medium severity (CVSS 5.
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. Rated medium severity (CVSS 5
Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated at
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extract
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.
An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticate
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API end
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39466