CVE-2026-43889

Name of the Vulnerable Software and Affected Versions Outline versions prior to 1.7.0

Description The 'shares.create' API accepts both collectionId and documentId simultaneously. When published is set to false, the system only verifies read access for each, skipping the required share permission check. A subsequent 'shares.update' call authorizes publication using an OR policy, meaning the user only needs share permissions for either the collection or the document. This allows an attacker with share permissions on an unrelated collection to publish a share that exposes an arbitrary document they are not authorized to share, making it accessible to unauthenticated users.

Recommendations Update to version 1.7.0.