Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-2004

NIXPKGS-2026-2004
published 14 hours ago
Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy
Permalink CVE-2026-54573
5.3 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 22 hours ago
  • @LeSuisse ignored
    17 packages
    • go-outline
    • mdbook-pdf-outline
    • typstPackages.suboutline
    • python312Packages.outlines
    • python313Packages.outlines
    • typstPackages.suboutline_0_1_0
    • typstPackages.suboutline_0_2_0
    • typstPackages.suboutline_0_3_0
    • mplus-outline-fonts.osdnRelease
    • python312Packages.outlines-core
    • python313Packages.outlines-core
    • python314Packages.outlines-core
    • typstPackages.outline-summaryst
    • mplus-outline-fonts.githubRelease
    • pkgsRocm.python3Packages.outlines
    • typstPackages.outline-summaryst_0_1_0
    • pkgsRocm.python3Packages.outlines-core
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Authorization Bypass in API Key/OAuth Scopes via Path Parsing Discrepancy

Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last segment. However, it fails to strip the URL fragment (#). Because Koa's router uses ctx.path (which strips the fragment) for routing, an attacker can append a fragment containing a permitted path (e.g., #foo/api/documents.info) to a restricted endpoint (e.g., /api/documents.create). The router will route the request to the restricted endpoint, but canAccess will evaluate the permitted path in the fragment, bypassing the API key scope restrictions and allowing privilege escalation. This vulnerability is fixed in 1.8.0.

Affected products

outline
  • ==< 1.8.0

Matching in nixpkgs

pkgs.outline

Fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible

Ignored packages (17)

Package maintainers

Needs some backports