Outline Service Vulnerability CVE-2026-43888 Allows Directory Traversal
The National Vulnerability Database has disclosed CVE-2026-43888, a high-severity vulnerability (CVSS 8.7) in Outline, a collaborative documentation service. This flaw, present in versions prior to 1.7.0, allows for directory traversal due to improper path handling during zip file extraction. Specifically, the ZipHelper.extract function, when processing an entry with an excessively long nested path, incorrectly truncates the path, causing fs.createWriteStream to create files outside the intended temporary extraction directory.
This bypass allows an attacker to write arbitrary files to the process working directory, escaping the extraction sandbox. Crucially, these rogue files persist even after the import cleanup process, as cleanupExtractedData only targets the temporary extraction directory. This opens the door for persistent arbitrary file write, a critical primitive for achieving remote code execution or system compromise.
For defenders, this means any Outline instance running a vulnerable version is exposed. The attacker’s calculus here is straightforward: craft a malicious zip file, trigger an import, and gain persistent foothold. The PR:H (Privileges Required: High) vector indicates an authenticated attacker, but the potential impact (complete system compromise) makes this a serious threat.
What This Means For You
- If your organization uses Outline for collaborative documentation, immediately verify your version. Any instance prior to 1.7.0 is vulnerable to CVE-2026-43888. Patching to version 1.7.0 or later is critical to prevent authenticated attackers from writing arbitrary files and potentially compromising your system. Review your Outline deployment logs for any suspicious file import activities.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43888 - Outline Directory Traversal via Zip Extraction
title: CVE-2026-43888 - Outline Directory Traversal via Zip Extraction
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
This rule detects attempts to write files outside of the intended sandbox directory during zip extraction, as exploited by CVE-2026-43888. The vulnerability occurs when a zip entry's nested path is long enough to cause trimFileAndExt to drop directory components, leading fs.createWriteStream to open files relative to the process working directory. This rule specifically looks for file write operations attempting to traverse directories using '..'.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43888/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: file_event
detection:
selection:
TargetFilename|startswith:
- '..'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43888 | Path Traversal | Outline service, versions prior to 1.7.0 |
| CVE-2026-43888 | Path Traversal | Vulnerable component: ZipHelper.extract function |
| CVE-2026-43888 | Path Traversal | Exploitation via crafted zip entry with nested path exceeding MAX_PATH_LENGTH (4096 bytes) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 01:22 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...
Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email
CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...
Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults
CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....