Outline Document Subscription Cross-Tenant Authorization Vulnerability

A broken authorization vulnerability has been identified in the Outline application, specifically in the subscriptions.create API endpoint. This issue affects versions 0.84.0 prior to 1.7.0. The vulnerability arises because the endpoint does not properly validate both collectionId and documentId when they are provided together. The route handler only authorizes the collection branch, allowing an attacker to create a subscription that links their user account to a document they do not have permission to access. This issue enables unauthorized users to receive notifications about changes to private documents in other teams.

Impact

Exploitation of this vulnerability allows for broken object-level authorization, enabling cross-tenant subscriptions on private documents. An attacker can create a subscription that pins their user account to any document in the instance, including those in other teams, without having read access to the document. This results in the attacker receiving notifications about updates to the document, including details such as the document title and the identity of the person who modified it.

Reproduction

To reproduce this vulnerability, create an Outline account and join a team. Then, create a private document and note its UUID. Next, create a collection in the same team and obtain its ID. Finally, send a request to the subscriptions.create API endpoint, including the collection ID and the UUID of the private document from another team. The request will be processed successfully, creating a subscription that links the attacker's user account to the victim's document.

Remediation

Users can update to Outline version 1.7.1, where this vulnerability has been fixed.