CVE-2026-43886

Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access

CVSS 8.2 HIGHEPSS 0.2%CWE-269

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.2EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

Affected products

outline · outline

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4