Nixpkgs security tracker

Untriaged

Permalink CVE-2026-43890

7.7 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 1 week, 6 days ago Activity log

Created suggestion 1 week, 6 days ago

Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() — it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.

References

https://github.com/outline/outline/security/advisories/GHSA-gf8h-cv9v-q4fw x_refsource_CONFIRM

Affected products

outline

==>= 0.82.1, < 1.7.1

Matching in nixpkgs

pkgs.outline

Fastest wiki and knowledge base for growing teams. Beautiful, feature rich, and markdown compatible

nixos-unstable 1.7.1
- nixpkgs-unstable 1.7.1
- nixos-unstable-small 1.7.1
nixos-25.11 1.7.1
- nixos-25.11-small 1.7.1
- nixpkgs-25.11-darwin 1.7.1

pkgs.go-outline

Utility to extract JSON representation of declarations from a Go source file

nixos-unstable 2021-06-08
- nixpkgs-unstable 2021-06-08
- nixos-unstable-small 2021-06-08
nixos-25.11 2021-06-08
- nixos-25.11-small 2021-06-08
- nixpkgs-25.11-darwin 2021-06-08

pkgs.mdbook-pdf-outline

None

nixos-unstable 0.1.6
- nixpkgs-unstable 0.1.6
- nixos-unstable-small 0.1.6
nixos-25.11 0.1.6
- nixos-25.11-small 0.1.6
- nixpkgs-25.11-darwin 0.1.6

pkgs.typstPackages.suboutline

An outline function just for one section and nothing else

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.python312Packages.outlines

Structured text generation

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.outlines

Structured text generation

nixos-unstable 1.2.12
- nixpkgs-unstable 1.2.12
- nixos-unstable-small 1.2.12
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.typstPackages.suboutline_0_1_0

An outline function just for one section and nothing else

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.typstPackages.suboutline_0_2_0

An outline function just for one section and nothing else

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.2.0
- nixos-25.11-small 0.2.0
- nixpkgs-25.11-darwin 0.2.0

pkgs.typstPackages.suboutline_0_3_0

An outline function just for one section and nothing else

nixos-unstable 0.3.0
- nixpkgs-unstable 0.3.0
- nixos-unstable-small 0.3.0
nixos-25.11 0.3.0
- nixos-25.11-small 0.3.0
- nixpkgs-25.11-darwin 0.3.0

pkgs.mplus-outline-fonts.osdnRelease

M+ Outline Fonts (legacy OSDN release)

nixos-unstable 063a
- nixpkgs-unstable 063a
- nixos-unstable-small 063a
nixos-25.11 063a
- nixos-25.11-small 063a
- nixpkgs-25.11-darwin 063a

pkgs.python312Packages.outlines-core

Structured text generation (core)

nixos-25.11 0.2.11
- nixos-25.11-small 0.2.11
- nixpkgs-25.11-darwin 0.2.11

pkgs.python313Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14
nixos-25.11 0.2.11
- nixos-25.11-small 0.2.11
- nixpkgs-25.11-darwin 0.2.11

pkgs.python314Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14

pkgs.typstPackages.outline-summaryst

A basic template for including a summary for each entry in the table of contents. Useful for writing books

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.mplus-outline-fonts.githubRelease

M+ Outline Fonts (GitHub release)

nixos-unstable 2022-05-19
- nixpkgs-unstable 2022-05-19
- nixos-unstable-small 2022-05-19
nixos-25.11 2022-05-19
- nixos-25.11-small 2022-05-19
- nixpkgs-25.11-darwin 2022-05-19

pkgs.pkgsRocm.python3Packages.outlines

Structured text generation

nixos-unstable 1.2.12
- nixpkgs-unstable 1.2.12
- nixos-unstable-small 1.2.12
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.typstPackages.outline-summaryst_0_1_0

A basic template for including a summary for each entry in the table of contents. Useful for writing books

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.pkgsRocm.python3Packages.outlines-core

Structured text generation (core)

nixos-unstable 0.2.14
- nixpkgs-unstable 0.2.14
- nixos-unstable-small 0.2.14
nixos-25.11 0.2.11
- nixos-25.11-small 0.2.11
- nixpkgs-25.11-darwin 0.2.11

Package maintainers

@vdemeester Vincent Demeester <vincent@sbr.pm>
@HollowMan6 Songlin Jiang <hollowman@hollowman.ml>
@uakci uakci <git@uakci.space>
@xanderio Alexander Sieg <alex@xanderio.de>
@cab404 Vladimir Serov <cab404@mailbox.org>
@yrd Yannik Rödel <nix@yannik.info>
@e1mo Nina Fromm <nixpkgs@e1mo.de>
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@danieldk Daniël de Kok <me@danieldk.eu>
@RossSmyth Ross Smyth
@cherrypiejam Gongqi Huang

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.outline

pkgs.go-outline

pkgs.mdbook-pdf-outline

pkgs.typstPackages.suboutline

pkgs.python312Packages.outlines

pkgs.python313Packages.outlines

pkgs.typstPackages.suboutline_0_1_0

pkgs.typstPackages.suboutline_0_2_0

pkgs.typstPackages.suboutline_0_3_0

pkgs.mplus-outline-fonts.osdnRelease

pkgs.python312Packages.outlines-core

pkgs.python313Packages.outlines-core

pkgs.python314Packages.outlines-core

pkgs.typstPackages.outline-summaryst

pkgs.mplus-outline-fonts.githubRelease

pkgs.pkgsRocm.python3Packages.outlines

pkgs.typstPackages.outline-summaryst_0_1_0

pkgs.pkgsRocm.python3Packages.outlines-core

Package maintainers