Outline Unauthorized Document Publication Vulnerability via Mixed collectionId and documentId Shares

A vulnerability in the Outline collaborative documentation service prior to version 1.7.0 allows unauthorized publication of documents. The shares.create API could accept both collectionId and documentId at the same time. When published=false, it only checked read access for each, ignoring the 'share' permission. This oversight allowed an attacker with share permission on one collection to publish a share that exposed a document from another collection, bypassing authorization controls and making the document accessible to unauthenticated users. The vulnerability is fixed in version 1.7.0.

Impact

Exploiting this vulnerability allows an authenticated user to publicly disclose any document they can read, regardless of sharing permissions. This bypasses collection-level sharing controls and results in persistent exposure of the document until the share is revoked.

Reproduction

To reproduce this vulnerability, an authenticated user must have read access to a document in a collection they cannot share, and share permission on an unrelated collection. First, create a mixed share using the shares.create API, including both the documentId and collectionId, and set published to false. This step will succeed without the necessary share permissions. Next, update the share using the shares.update API, changing published to true. The update will be authorized because of the share permission on the unrelated collection, exposing the document to the public.

Remediation

Users are advised to update to Outline version 1.7.0 or later, where this vulnerability has been fixed.