CVE-2026-43890— Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43890
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() — it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Outline 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Outline是Outline开源的一个知识库。 Outline 0.84.0版本至1.7.0版本存在安全漏洞,该漏洞源于subscriptions.create API端点存在损坏的授权模式,当同时提供collectionId和documentId时,路由处理程序仅授权集合分支,而下游subscriptionCreator命令针对未验证的documentId写入订阅,导致订阅记录将攻击者用户固定到攻击者无读取权限的受害者文档上。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43890
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43890
请登录查看更多情报信息。
- https://github.com/outline/outline/security/advisories/GHSA-gf8h-cv9v-q4fwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-43890
Same Patch Batch · outline · 2026-05-11 · 6 CVEs total
| CVE-2026-43888 | 8.7 HIGH | Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import |
| CVE-2026-43886 | 8.2 HIGH | Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Ac |
| CVE-2026-43887 | 7.3 HIGH | Outline: Stored XSS via Comment Mentions |
| CVE-2026-43889 | 6.5 MEDIUM | Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share |
| CVE-2026-44695 | 5.8 MEDIUM | Outline: Slack OAuth state can link a victim Outline account to an attacker Slack identity |
IV. Related Vulnerabilities
Same product: outline
- CVE-2026-44695
Outline: Slack OAuth state can link a victim Outline account - CVE-2026-43889
Outline: Unauthorized Document Publication via Mixed collect - CVE-2026-43888
Outline: Zip Extraction Path Escape via PATH_MAX Truncation - CVE-2026-43886
Outline: OAuth Scope Validation Logic Error Allows Privilege - CVE-2026-43887
Outline: Stored XSS via Comment Mentions
Same vendor: outline
- CVE-2026-44695
Outline: Slack OAuth state can link a victim Outline account - CVE-2026-43889
Outline: Unauthorized Document Publication via Mixed collect - CVE-2026-43888
Outline: Zip Extraction Path Escape via PATH_MAX Truncation - CVE-2026-43886
Outline: OAuth Scope Validation Logic Error Allows Privilege - CVE-2026-43887
Outline: Stored XSS via Comment Mentions
Same weakness: CWE-639
- CVE-2026-42097
Authentication Bypass in Sparx Pro Cloud Server - CVE-2026-37978
Keycloak: org.keycloak.services: keycloak: information discl - CVE-2026-4630
Keycloak: keycloak: unauthorized resource access and data mo - CVE-2026-33052
MantisBT: Authorization Bypass in Global Profile Creation - CVE-2026-41949
Dify v1.14.1 Authorization Bypass via File Preview Endpoint
V. Comments for CVE-2026-43890
No comments yet