CVE-2026-43890

Name of the Vulnerable Software and Affected Versions Outline versions 0.84.0 through 1.7.0

Description The 'subscriptions.create' API endpoint in 'server/routes/api/subscriptions/subscriptions.ts' contains a broken authorization pattern. When both collectionId and documentId are provided in a request, the system only validates authorization for the collection branch. However, the subscriptionCreator() function in 'server/commands/subscriptionCreator.ts' creates the subscription using the documentId, which remains unvalidated. Because the schema in 'server/routes/api/subscriptions/schema.ts' allows both parameters to be sent simultaneously, an attacker can create a subscription to a document they do not have read access to on any team within the instance.

Recommendations Update to version 1.7.1.