CVE-2026-25062 – This vulnerability allows attackers to read arb... (How to Fix)

Q: What is the severity of CVE-2026-25062?

CVE-2026-25062 has a CVSS score of 5.5 (MEDIUM). This vulnerability allows attackers to read arbitrary files on Outline servers by exploiting path traversal during JSON import. Attackers can embed sequences like '../' in attachment keys to access sensitive system files. All Outline instances running versions before 1.4.0 are affected.

📋 TL;DR

This vulnerability allows attackers to read arbitrary files on Outline servers by exploiting path traversal during JSON import. Attackers can embed sequences like '../' in attachment keys to access sensitive system files. All Outline instances running versions before 1.4.0 are affected.

💻 Affected Systems

Products:

Outline

Versions: All versions before 1.4.0

Operating Systems: All platforms running Outline

Default Config Vulnerable: ⚠️ Yes

Notes: Requires JSON import functionality to be accessible, which is typically available to users with import permissions.

📦 What is this software?

Outline by Getoutline

View all CVEs affecting Outline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement or data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive server files containing configuration data, user information, or other application data stored on the filesystem.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive directories, though some application data may still be exposed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user access to JSON import functionality. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://github.com/outline/outline/security/advisories/GHSA-7r4f-3wjv-83xf

Restart Required: Yes

Instructions:

1. Backup your Outline instance and database. 2. Update to version 1.4.0 or later using your deployment method (Docker, manual install, etc.). 3. Restart the Outline service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable JSON Import

all

Temporarily disable JSON import functionality to prevent exploitation while planning upgrade.

Restrict Import Permissions

all

Limit JSON import capabilities to only trusted administrators.

🧯 If You Can't Patch

Implement strict file system permissions to limit Outline's access to sensitive directories
Monitor and audit JSON import activities for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check Outline version via admin panel or by examining package.json/version files. If version is below 1.4.0, the system is vulnerable.

Check Version:

docker exec outline_container node -p "require('./package.json').version" or check admin panel

Verify Fix Applied:

After updating, verify version is 1.4.0 or higher and test JSON import functionality with safe test data.

📡 Detection & Monitoring

Log Indicators:

Unusual JSON import activities
File read errors for unexpected paths
Import requests containing '../' sequences

Network Indicators:

Multiple import requests from single user
Import payloads with unusual attachment keys

SIEM Query:

source="outline" AND ("import" OR "attachment") AND ("..\/" OR "../" OR "/etc/" OR "/root/")

📊 Metadata

CVE ID: CVE-2026-25062

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-22

EPSS Score: 0.02% exploit probability (3th percentile)

Published: February 11, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/outline/outline/releases/tag/v1.4.0 Release Notes
https://github.com/outline/outline/security/advisories/GHSA-7r4f-3wjv-83xf Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25062, you might also want to check these: