Skip to main content

Outline EUVDEUVD-2026-39466

| CVE-2026-54573 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-25 GitHub_M
5.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable with low complexity; PR:L because a valid API key is required; integrity impact is Low as unauthorized writes are possible but scoped within the application; no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 18:03 EUVD
Analysis Generated
Jun 25, 2026 - 17:22 vuln.today

DescriptionCVE.org

Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.

AnalysisAI

API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The AuthenticationHelper.canAccess function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain limited-scope API key
Delivery
Identify restricted target endpoint
Exploit
Append permitted-path fragment to restricted URL
Execution
Send authenticated request to crafted URL
Persist
canAccess evaluates fragment path instead of actual endpoint
Impact
Scope restriction bypassed, restricted action executed

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid but limited-scope API key or OAuth token for the target Outline instance (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L reflects a real but bounded risk: the attack is network-reachable with low complexity and requires only a valid API key (PR:L), but the integrity impact is rated Low (VI:L) and there is no confidentiality or availability dimension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker is issued a read-only API key scoped to `documents.info` for an Outline integration. They craft a request to the restricted endpoint `/api/documents.create#foo/api/documents.info` with their read-only API key. …
Remediation Vendor-released patch: Outline 1.8.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-37829 HIGH POC
8.8 Jul 09

An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafte

CVE-2023-54331 HIGH POC
7.8 Jan 13

Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with eleva

CVE-2024-37830 MEDIUM POC
6.1 Jul 09

An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and chang

CVE-2026-25062 MEDIUM POC
5.5 Feb 11

Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attack

CVE-2024-40626 MEDIUM POC
5.4 Jul 16

Outline is an open source, collaborative document editor. Rated medium severity (CVSS 5.4), this vulnerability is remote

CVE-2023-3532 MEDIUM POC
5.4 Jul 07

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. Rated medium severity (CVSS 5.

CVE-2022-2342 MEDIUM POC
5.4 Jul 07

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. Rated medium severity (CVSS 5

CVE-2026-33640 CRITICAL
9.1 Mar 26

Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated at

CVE-2026-43888 HIGH
8.7 May 11

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extract

CVE-2026-43886 HIGH
8.2 May 11

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.

CVE-2026-24901 HIGH
8.1 Mar 17

An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticate

CVE-2026-43890 HIGH
7.7 May 11

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API end

Share

EUVD-2026-39466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy