Outline Insecure Direct Object Reference (CVE-2026-41649) Exposes Documents

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
Outline Insecure Direct Object Reference (CVE-2026-41649) Exposes Documents

The National Vulnerability Database (NVD) highlights CVE-2026-41649, a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Outline, a collaborative documentation service. This flaw, present in versions 0.86.0 through 1.6.x, allows an authenticated attacker to generate valid public share links for any document on the platform, regardless of workspace ownership.

The vulnerability stems from a logical flaw in the shares.create API endpoint. When a request includes both collectionId and documentId, Outline’s authorization logic only verifies access to the collection, completely ignoring the specified document. This bypass enables an attacker to craft a public share for sensitive documents they shouldn’t have access to, subsequently retrieving the full document contents via the documents.info endpoint. A patch is available in version 1.7.0.

This isn’t just a theoretical issue; it’s a direct path to data exposure. Organizations using affected Outline versions face a critical risk of unauthorized disclosure of confidential information. Attackers don’t need elevated privileges, just a valid account, to start exfiltrating data across workspaces. The CVSS score of 7.7 (HIGH) reflects the significant impact on confidentiality.

What This Means For You

  • If your organization utilizes Outline for documentation, you must immediately verify your version. If you are running any version between 0.86.0 and 1.6.x, you are vulnerable. Prioritize upgrading to Outline version 1.7.0 or later to patch CVE-2026-41649. Audit public share links and document access logs for any suspicious activity indicating unauthorized sharing.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access T1200 Hardware Additions Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41649 - Outline Insecure Direct Object Reference for Document Access

Sigma YAML — free preview 
title: CVE-2026-41649 - Outline Insecure Direct Object Reference for Document Access
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
  Detects the specific API call pattern for CVE-2026-41649 where an attacker crafts a request to the `shares.create` endpoint with both `collectionId` and `documentId` parameters. This bypasses authorization checks and allows the creation of a public share link for any document, enabling unauthorized access.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41649/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/shares.create'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'collectionId='
          - 'documentId='
  selection_base:
      sc-status:
          - '200'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41649 IDOR Outline service, versions 0.86.0 to 1.6.x
CVE-2026-41649 IDOR Outline API endpoint: shares.create
CVE-2026-41649 Information Disclosure Outline API endpoint: documents.info

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 29, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-42167: ProFTPD mod_sql RCE Via Log Expansion

CVE-2026-42167 — mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER...

vulnerabilityCVEhigh-severitycwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7319: Path Traversal in elinsky execution-system-mcp Poses Remote Risk

CVE-2026-7319 — A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7318 — Elie Mcp-Project Path Traversal

CVE-2026-7318 — A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 3 Sigma