Vulnerability Description
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-54573?
CVE-2026-54573 is a documented vulnerability. Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the requir...
How severe is CVE-2026-54573?
CVSS scoring is not yet available for CVE-2026-54573. Check NVD for updates.
Is there a patch for CVE-2026-54573?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.