CVE-2026-24901 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 17, 2026
Outline - Insecure Direct Object Reference
Published: March 17, 2026Updated: March 17, 2026Remote Exploitable
Overview
Outline < 1.4.0 contains an insecure direct object reference caused by bypassing ownership validation in document restoration logic, letting team members restore, view, and seize ownership of deleted drafts of others, exploit requires team membership.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers can access sensitive private drafts and lock original owners out, compromising confidentiality and ownership control.
Mitigation
Update to version 1.4.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-24901
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N