Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1284

NIXPKGS-2026-1284

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-41649

7.7 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 3 weeks ago
@LeSuisse ignored reference https://g… 1 month, 3 weeks ago
@LeSuisse ignored
17 packages
- go-outline
- mdbook-pdf-outline
- typstPackages.suboutline
- python312Packages.outlines
- python313Packages.outlines
- typstPackages.suboutline_0_1_0
- typstPackages.suboutline_0_2_0
- typstPackages.suboutline_0_3_0
- mplus-outline-fonts.osdnRelease
- python312Packages.outlines-core
- python313Packages.outlines-core
- python314Packages.outlines-core
- typstPackages.outline-summaryst
- mplus-outline-fonts.githubRelease
- pkgsRocm.python3Packages.outlines
- typstPackages.outline-summaryst_0_1_0
- pkgsRocm.python3Packages.outlines-core
1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse ignored
4 maintainers
- @cab404
- @e1mo
- @xanderio
- @yrd
1 month, 3 weeks ago maintainer.ignore
@LeSuisse published on GitHub 1 month, 3 weeks ago

Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces

Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.

References

https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7 x_refsource_CONFIRM
https://github.com/outline/outline/commit/1b91a295e10f58a1088c54f533773788325ff460 x_refsource_MISC

Ignored references (1)

https://github.com/outline/outline/releases/tag/v1.7.0 x_refsource_MISC

Affected products

outline

==>= 0.86.0, < 1.7.0

Matching in nixpkgs

pkgs.outline

Fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible

nixos-unstable 1.6.1
- nixpkgs-unstable 1.6.1
- nixos-unstable-small 1.7.0

Ignored packages (17)

pkgs.go-outline

Utility to extract JSON representation of declarations from a Go source file

nixos-unstable 2021-06-08
- nixpkgs-unstable 2021-06-08
- nixos-unstable-small 2021-06-08

pkgs.mdbook-pdf-outline

None

nixos-unstable 0.1.6
- nixpkgs-unstable 0.1.6
- nixos-unstable-small 0.1.6

pkgs.typstPackages.suboutline

An outline function just for one section and nothing else

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0

pkgs.python312Packages.outlines

None

pkgs.python313Packages.outlines

Structured text generation

nixos-unstable 1.2.12
- nixpkgs-unstable 1.2.12
- nixos-unstable-small 1.2.12

pkgs.typstPackages.suboutline_0_1_0

An outline function just for one section and nothing else

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.typstPackages.suboutline_0_2_0

An outline function just for one section and nothing else

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.typstPackages.suboutline_0_3_0

An outline function just for one section and nothing else

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0

pkgs.mplus-outline-fonts.osdnRelease

M+ Outline Fonts (legacy OSDN release)

nixos-unstable 063a
- nixpkgs-unstable 063a
- nixos-unstable-small 063a

pkgs.python312Packages.outlines-core

None

pkgs.python313Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14

pkgs.python314Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14

pkgs.typstPackages.outline-summaryst

A basic template for including a summary for each entry in the table of contents. Useful for writing books

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.mplus-outline-fonts.githubRelease

M+ Outline Fonts (GitHub release)

nixos-unstable 2022-05-19
- nixpkgs-unstable 2022-05-19
- nixos-unstable-small 2022-05-19

pkgs.pkgsRocm.python3Packages.outlines

Structured text generation

nixos-unstable 1.2.12
- nixpkgs-unstable 1.2.12
- nixos-unstable-small 1.2.12

pkgs.typstPackages.outline-summaryst_0_1_0

A basic template for including a summary for each entry in the table of contents. Useful for writing books

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.pkgsRocm.python3Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14

Package maintainers

Ignored maintainers (4)

@yrd Yannik Rödel <nix@yannik.info>
@e1mo Nina Fromm <nixpkgs@e1mo.de>
@xanderio Alexander Sieg <alex@xanderio.de>
@cab404 Vladimir Serov <cab404@mailbox.org>