Medium severity6.5NVD Advisory· Published May 11, 2026· Updated May 12, 2026
CVE-2026-43889
CVE-2026-43889
Description
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
10- The time of much patching is comingCisco Talos Intelligence · May 14, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- CISA and Partners Publish Zero Trust Guidance For OT SecurityInfosecurity Magazine · Apr 30, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- PhantomRPC: A new privilege escalation technique in Windows RPCSecurelist · Apr 24, 2026
- Cyber chief: UK faces "perfect storm" for cyber securityNCSC UK · Apr 21, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity EuropeInfosecurity Magazine · Mar 24, 2026
- EDR killers explained: Beyond the driversESET WeLiveSecurity · Mar 19, 2026
- Infosecurity Europe Announces 2026 Keynote Line UpInfosecurity Magazine · Mar 11, 2026