Outline CVE-2026-43890: Authorization Bypass Exposes Documents

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
Outline CVE-2026-43890: Authorization Bypass Exposes Documents

The National Vulnerability Database has detailed CVE-2026-43890, a high-severity authorization bypass vulnerability affecting Outline, a collaborative documentation service. Versions 0.84.0 through 1.7.0 are impacted. The flaw resides in the subscriptions.create API endpoint where, if both collectionId and documentId are supplied in the request, the system only validates authorization for the collectionId. However, the subscription is erroneously created against the documentId, which was never checked for user access.

This misconfiguration allows an attacker to subscribe their user account to a victim’s document, even if they lack read access. This effectively grants an attacker unauthorized access to sensitive documents across any team within the Outline instance. The schema itself permits this dual-parameter submission, validating the request as legitimate despite the underlying authorization failure. The National Vulnerability Database reports a CVSS score of 7.7 (HIGH).

Outline fixed this vulnerability in version 1.7.1. Organizations utilizing Outline must prioritize updating their instances immediately. This isn’t theoretical; it’s a direct path to data exposure. Attackers are always looking for logic flaws like this where validation is a mile wide but an inch deep.

What This Means For You

  • If your organization uses Outline, you must verify your version immediately. This isn't a complex exploit; it's a clear authorization bypass that hands attackers access to documents they shouldn't see. Patch to version 1.7.1 or later. Anything less is leaving your sensitive data exposed.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1529 System Shutdown/Reboot Impact

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-43890: Outline Subscriptions API Authorization Bypass

Sigma YAML — free preview 
title: CVE-2026-43890: Outline Subscriptions API Authorization Bypass
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-43890 by sending a POST request to the subscriptions.create API endpoint with both collectionId and documentId parameters. This bypasses authorization checks, allowing an attacker to subscribe to documents they do not have access to.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43890/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/subscriptions/subscriptions.ts'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'collectionId='
          - 'documentId='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43890 Auth Bypass Outline versions 0.84.0 to 1.7.0
CVE-2026-43890 Auth Bypass API endpoint: subscriptions.create in server/routes/api/subscriptions/subscriptions.ts
CVE-2026-43890 Auth Bypass Vulnerable component: subscriptionCreator command at server/commands/subscriptionCreator.ts
CVE-2026-43890 Auth Bypass Attack vector: Supplying both collectionId and documentId to subscriptions.create API

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 01:22 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma

Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email

CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...

vulnerabilityCVEhigh-severitycwe-307
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults

CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma