CVE-2026-28506

CVE-2026-28506 is a medium-severity vulnerability in Getoutline Outline with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-200.

Key facts

Description

Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue.

Frequently asked questions

What is CVE-2026-28506?
Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue.
How severe is CVE-2026-28506?
CVE-2026-28506 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-28506 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-28506?
CVE-2026-28506 affects Getoutline Outline. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-28506?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-28506 have an EU (EUVD) identifier?
Yes. CVE-2026-28506 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12584.
When was CVE-2026-28506 published?
CVE-2026-28506 was published on 2026-03-17 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Getoutline Outline

All CVEs affecting Getoutline Outline →

Other CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities

Browse all CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities →