{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33640", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.619Z", "datePublished": "2026-03-26T20:56:37.818Z", "dateUpdated": "2026-04-01T03:55:21.240Z"}, "containers": {"cna": {"title": "Outline has a rate limit bypass that allows brute force of email login OTP", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6"}, {"name": "https://github.com/outline/outline/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/outline/outline/releases/tag/v1.6.0"}], "affected": [{"vendor": "outline", "product": "outline", "versions": [{"version": ">= 0.86.0, < 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:56:37.818Z"}, "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}], "source": {"advisory": "GHSA-cwhc-53hw-qqx6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33640"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T03:55:21.240Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33640", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T11:40:38.951078Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:40:52.932Z"}}], "cna": {"title": "Outline has a rate limit bypass that allows brute force of email login OTP", "source": {"advisory": "GHSA-cwhc-53hw-qqx6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "outline", "product": "outline", "versions": [{"status": "affected", "version": ">= 0.86.0, < 1.6.0"}]}], "references": [{"url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "name": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/outline/outline/releases/tag/v1.6.0", "name": "https://github.com/outline/outline/releases/tag/v1.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:56:37.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33640", "state": "PUBLISHED", "dateUpdated": "2026-04-01T03:55:21.240Z", "dateReserved": "2026-03-23T14:24:11.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:56:37.818Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getoutline:outline:*:*:*:*:*:*:*:*", "matchCriteriaId": "618371C5-39DB-422A-9E34-034A84D32E3A", "versionEndExcluding": "1.6.0", "versionStartIncluding": "0.86.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue."}, {"lang": "es", "value": "Outline es un servicio que permite la documentaci\u00f3n colaborativa. Outline implementa un flujo de inicio de sesi\u00f3n con OTP por correo electr\u00f3nico para usuarios no asociados con un Proveedor de Identidad. A partir de la versi\u00f3n 0.86.0 y antes de la versi\u00f3n 1.6.0, Outline no invalida los c\u00f3digos OTP bas\u00e1ndose en la cantidad o frecuencia de env\u00edos inv\u00e1lidos, sino que se basa en el limitador de velocidad para restringir los intentos. En consecuencia, los bypasses identificados en el limitador de velocidad permiten el env\u00edo ilimitado de c\u00f3digos OTP dentro de la vida \u00fatil de los c\u00f3digos. Esto permite a los atacantes realizar ataques de fuerza bruta que posibilitan la toma de control de cuentas. La versi\u00f3n 1.6.0 corrige el problema."}], "id": "CVE-2026-33640", "lastModified": "2026-03-31T01:42:34.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.637", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/outline/outline/releases/tag/v1.6.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/outline/outline/security/advisories/GHSA-cwhc-53hw-qqx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.86.0,1.6.0)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "outline", "source": "cna", "vendor": "outline"}, "product": "outline", "vendor": "getoutline"}], "analysis": {"en": {"generated_at": "2026-03-31T05:45:08.666418+00:00", "value": {"mitigation_remediation": ["Upgrade Outline to version\u00a01.6.0 or later to receive the patch that restores OTP invalidation logic.", "Verify that the OTP rate limiter is now enforced after the upgrade.", "If an upgrade is not immediately possible, configure a temporary stricter rate limit on OTP requests or disable OTP login entirely until the fix can be applied.", "Consider switching to an Identity Provider integration to eliminate the vulnerable OTP flow.", "Monitor login activity for repeated failed OTP attempts and investigate any suspicious patterns."], "summary": {"action": "Immediate Patch", "impact": "Account takeover through OTP brute force"}, "threat_synthesis": {"affected_systems": "This flaw exists in Outline collaborative documentation software manufactured by Outline. The affected releases are all versions from 0.86.0 through 1.5.x. The vendor released a fix in version\u00a01.6.0.", "description_and_impact": "The vulnerability is a rate\u2011limit bypass in the OTP verification flow. This allows an attacker who can trigger OTP requests to submit unlimited attempts until a correct code is found, effectively performing a brute\u2011force attack. Successful exploitation results in account takeover, granting the attacker full control over the victim's data. The weakness is a classic Account\u2011Reset\u2011By\u2011Guessing problem (CWE\u2011307).", "risk_and_exploitability": "The CVSS score of 9.1 indicates very high severity. The EPSS score is below 1\u202f%, suggesting a low current attack probability, but the vulnerability is not listed in the CISA KEV catalog. The exploit requires only the ability to initiate an OTP for a known email address and does not require elevated privileges or additional software. Because the rate limiter could be bypassed, an attacker can carry out the attack from any location that can reach the Outline instance, making it a remote exploitation path."}}}}, "created": "2026-03-27T08:31:54.099331+00:00", "updated": "2026-03-31T20:01:28.949602+00:00", "vendors": ["getoutline", "getoutline$PRODUCT$outline"]}