CVE-2026-28506

Name of the Vulnerable Software and Affected Versions Outline versions prior to 1.5.0

Description Outline is a collaborative documentation service. Prior to version 1.5.0, a logic flaw exists in the filtering mechanism of the /events.list API endpoint, which is used to retrieve activity logs. This flaw allows any authenticated user to access activity events related to documents lacking a collection (such as Private Drafts and Deleted Documents), bypassing standard permission controls. While the document content itself is not directly exposed, sensitive metadata is leaked, including Document IDs, user activity timestamps, and, in some cases, the Document Title of Permanent Delete. The leakage of valid Document IDs from deleted drafts compromises the randomness of UUIDs, simplifying the exploitation of high-severity IDOR attacks, like those affecting the documents.restore function.

Recommendations Versions prior to 1.5.0 should be updated to version 1.5.0 or later.