Medium severity5.8NVD Advisory· Published May 11, 2026· Updated May 15, 2026
CVE-2026-44695
CVE-2026-44695
Description
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the victim Outline user. This vulnerability is fixed in 1.7.1.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/outline/outline/security/advisories/GHSA-mjgw-5j7q-gv8vnvdExploitVendor Advisory
News mentions
10- The time of much patching is comingCisco Talos Intelligence · May 14, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- CISA and Partners Publish Zero Trust Guidance For OT SecurityInfosecurity Magazine · Apr 30, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- PhantomRPC: A new privilege escalation technique in Windows RPCSecurelist · Apr 24, 2026
- Cyber chief: UK faces "perfect storm" for cyber securityNCSC UK · Apr 21, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity EuropeInfosecurity Magazine · Mar 24, 2026
- EDR killers explained: Beyond the driversESET WeLiveSecurity · Mar 19, 2026
- Infosecurity Europe Announces 2026 Keynote Line UpInfosecurity Magazine · Mar 11, 2026