{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33640", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.619Z", "datePublished": "2026-03-26T20:56:37.818Z", "dateUpdated": "2026-03-30T11:40:56.508Z"}, "containers": {"cna": {"title": "Outline has a rate limit bypass that allows brute force of email login OTP", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6"}, {"name": "https://github.com/outline/outline/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/outline/outline/releases/tag/v1.6.0"}], "affected": [{"vendor": "outline", "product": "outline", "versions": [{"version": ">= 0.86.0, < 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:56:37.818Z"}, "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}], "source": {"advisory": "GHSA-cwhc-53hw-qqx6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:40:38.951078Z", "id": "CVE-2026-33640", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:40:56.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33640", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T11:40:38.951078Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:40:52.932Z"}}], "cna": {"title": "Outline has a rate limit bypass that allows brute force of email login OTP", "source": {"advisory": "GHSA-cwhc-53hw-qqx6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "outline", "product": "outline", "versions": [{"status": "affected", "version": ">= 0.86.0, < 1.6.0"}]}], "references": [{"url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "name": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/outline/outline/releases/tag/v1.6.0", "name": "https://github.com/outline/outline/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:56:37.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33640", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:40:56.508Z", "dateReserved": "2026-03-23T14:24:11.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:56:37.818Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}, {"lang": "es", "value": "Outline es un servicio que permite la documentaci\u00f3n colaborativa. Outline implementa un flujo de inicio de sesi\u00f3n con OTP por correo electr\u00f3nico para usuarios no asociados con un Proveedor de Identidad. A partir de la versi\u00f3n 0.86.0 y antes de la versi\u00f3n 1.6.0, Outline no invalida los c\u00f3digos OTP bas\u00e1ndose en la cantidad o frecuencia de env\u00edos inv\u00e1lidos, sino que se basa en el limitador de velocidad para restringir los intentos. En consecuencia, los bypasses identificados en el limitador de velocidad permiten el env\u00edo ilimitado de c\u00f3digos OTP dentro de la vida \u00fatil de los c\u00f3digos. Esto permite a los atacantes realizar ataques de fuerza bruta que posibilitan la toma de control de cuentas. La versi\u00f3n 1.6.0 corrige el problema."}], "id": "CVE-2026-33640", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.637", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/outline/outline/releases/tag/v1.6.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.86.0,1.6.0)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "outline", "source": "cna", "vendor": "outline"}, "product": "outline", "vendor": "getoutline"}], "analysis": {"en": {"generated_at": "2026-03-26T22:23:52.265262+00:00", "value": {"mitigation_remediation": ["Upgrade Outline to version 1.6.0 or later", "Verify that the OTP login flow now enforces code invalidation after failed attempts", "Monitor access logs for abnormal OTP request patterns and block suspicious IPs if necessary"], "summary": {"action": "Immediate Patch", "impact": "Account takeover"}, "threat_synthesis": {"affected_systems": "The affected product is Outline by Outline. The vulnerability is present in releases starting with version 0.86.0 and continuing through all versions prior to 1.6.0. Any deployment of Outline within that version range is susceptible to OTP brute\u2011force attacks.", "description_and_impact": "Outline\u2019s email OTP login flow, which is used for users not linked to an Identity Provider, lacks proper invalidation of OTP codes after too many failed attempts. The application relies on a rate limiter to deter brute force, but a bypass in this limiter allows attackers to submit unlimited OTP attempts within the code\u2019s lifetime. This flaw enables attackers to guess the short OTP code, achieving unauthorized access to a user\u2019s account and compromising the system\u2019s confidentiality and integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.1, indicating a high severity impact. EPSS data is not available, and the issue has not been listed in CISA\u2019s KEV catalog. The likely attack vector is a brute\u2011force attempt that exploits the rate\u2011limit bypass, requiring only knowledge of the user\u2019s email address and the OTP code during its validity period. Because of the unrestricted attempts, the likelihood of successful exploitation is significant in environments where Outline is accessible over the internet."}}}}, "created": "2026-03-27T08:31:54.099331+00:00", "updated": "2026-03-27T09:23:21.509927+00:00", "vendors": ["getoutline", "getoutline$PRODUCT$outline"]}