The scheme of CP-ABE is widely used in data security protection in cloud outsourcing service. The architecture based on CP-ABE involves user, SP, PKG and CSP. Under this situation, PKG is trusted by default. However, in the real situation, except the default situation, there exists another scenario, where there is no SP and user communicates with PKG and CSP directly. In the above environment PKG may be untrusted. Once PKG is colluded with CSP or PKG is compromised, the adversary can get the decryption keys from PKG easily and the data preserved on CSP will be decrypted and leaked. In this paper, we first innovatively propose a scheme that can resist the attack from the aforementioned situations. The idea of the scheme is that a factor generated by the user is added to the secret key and the cipher text. The secret key is added the factor, which results that even PKG is compromised or untrusted, the secret key cannot be obtained. We apply the idea on the Li's scheme and make it be suitable for the cloud outsourcing environment with an untrusted PKG. Finally, we prove the security of our scheme.