CVE-2026-41649

Name of the Vulnerable Software and Affected Versions Outline versions 0.86.0 through 1.6.9

Description An insecure direct object reference exists in the 'shares.create' API endpoint. When both collectionId and documentId are provided in a request, the authorization logic verifies access to the collection but ignores the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including those from other workspaces. The full contents of the document can subsequently be retrieved via the 'documents.info' endpoint.

Recommendations Update to version 1.7.0.