CVE-2026-41649— Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41649
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Source: NVD (National Vulnerability Database)
Vulnerability Description
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Outline 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Outline是Outline开源的一个知识库。 Outline 0.86.0版本至1.7.0之前版本存在安全漏洞,该漏洞源于不安全的直接对象引用,当请求中同时提供collectionId和documentId时,授权逻辑仅检查对集合的访问,完全忽略文档,可能导致经过身份验证的攻击者为平台上的任何文档生成有效的公共共享链接,并通过documents.info端点检索完整文档内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41649
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41649
请登录查看更多情报信息。
- Release v1.7.0 · outline/outline · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-41649
IV. Related Vulnerabilities
Same product: outline
- CVE-2026-33640
Outline has a rate limit bypass that allows brute force of e - CVE-2026-28506
Outline's Information Disclosure in Activity Logs allows Use - CVE-2026-24901
Outline's IDOR allows unauthorized viewing and seizing of pr - CVE-2025-68663
Outline has a suspended user authentication bypass via WebSo - CVE-2025-64487
Outline is vulnerable to privilege escalation vulnerability
Same vendor: outline
- CVE-2026-33640
Outline has a rate limit bypass that allows brute force of e - CVE-2026-28506
Outline's Information Disclosure in Activity Logs allows Use - CVE-2026-24901
Outline's IDOR allows unauthorized viewing and seizing of pr - CVE-2025-68663
Outline has a suspended user authentication bypass via WebSo - CVE-2025-64487
Outline is vulnerable to privilege escalation vulnerability
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2026-41649
No comments yet