CVE-2026-54573 | Outline is a service that allows for collaborative documenta… | CVSS 5.3 MEDIUM

Description

Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.

Metadata

CVE ID: CVE-2026-54573
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-15 19:15 UTC
Published: 2026-06-25 15:59 UTC
Last updated: 2026-06-25 15:59 UTC
Primary CWE: CWE-863
CWE-863: Incorrect Authorization
Vendor / Product: outline / outline
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
outline	outline	—	< 1.8.0

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8 https://github.com/outline/outline/security/advisories/GHSA-5x79-rj4g-qrh8