CVE-2026-43889
Outline is vulnerable prior to 1.7.0 due to the shares.create API accepting both collectionId and documentId and, when published=false, skipping the share-permission check. A subsequent shares.update permits publication using an OR policy (can share collection OR can share document), allowing an ...