CVE-2026-24901HIGH 8.8EPSS p22.7%

CVE-2026-24901CVE-2026-24901

Description

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.7% · 2026-06-19T12:03:05Z
Published2026-03-17
Last modified2026-03-19

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/outline/outline/security/advisories/GHSA-gmr5-43f5-79f5

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43886
CVE
CVE-2026-33640
CVE
CVE-2026-24756
CVE
CVE-2026-24761
CVE
CVE-2026-24753
CVE
CVE-2026-28374
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.