Outline Insecure Direct Object Reference Vulnerability in Document Sharing API

A vulnerability allowing unauthorized access to private documents across workspaces has been identified in the Outline application. This issue arises from an insecure direct object reference (IDOR) in the 'shares.create' API endpoint, present in Outline versions 0.86.0 through 1.7.0. The vulnerability allows an authenticated attacker to generate public share links for any document, including those in other workspaces, by exploiting a flaw in the authorization logic, which only verifies access to collections and not individual documents. As a result, attackers can access private documents they do not have membership to, unpublished drafts, and even documents from entirely separate organizations on the same Outline instance.

Impact

Exploitation of this vulnerability allows access to private documents, unpublished drafts, and cross-workspace document retrieval on the same Outline instance.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'shares.create' API endpoint, including their own 'collectionId' and a 'documentId' from a victim's document. The authorization check will only validate the collection, not the document, allowing the share to be created. Once the share is published, the attacker can use the 'documents.info' endpoint to retrieve the full contents of the shared document.

Remediation

Users can update to Outline version 1.7.0, which includes a patch for this vulnerability.