Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to...

8.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

Description

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

Basic Information

ID CVE-2026-43886

Source GitHub_M

Published May 11, 2026 at 21:06

Affected Product

Vendor outline

Product outline

Version >= 0.84.0, < 1.7.0

Affected Versions outline outline >= 0.84.0, < 1.7.0

CWE Classification

CWE-269

References

github.com /outline/outline/security/advisories/GHSA-7732-6qrg-wjf4

{
    "lastseen": "",
    "description": "Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.",
    "published": "2026-05-11T21:06:16.529Z",
    "modified": "2026-05-11T21:06:16.529Z",
    "type": "cve",
    "title": "Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access",
    "source": "GitHub_M",
    "references": "https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4",
    "id": "CVE-2026-43886",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "outline outline >= 0.84.0, < 1.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "outline",
    "version": ">= 0.84.0, < 1.7.0",
    "vendor": "outline",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access_CVE-2026-43886