CVE-2026-41571 Overview
CVE-2026-41571 is a critical authentication bypass vulnerability in Note Mark, an open-source note-taking application. Version 0.19.2 contains a flawed password verification routine in IsPasswordMatch within backend/db/models.go. The function falls back to a hard-coded bcrypt("null") placeholder whenever a user record has no stored password. Users registered through OpenID Connect (OIDC) are created with empty passwords, making them directly exploitable. An unauthenticated attacker can submit password: "null" to the internal login endpoint and receive a valid session for any OIDC-registered account. The issue is patched in version 0.19.3.
Critical Impact
Unauthenticated attackers can take over any OIDC-registered Note Mark account by submitting the literal string null as the password to the internal login endpoint.
Affected Products
- Note Mark version 0.19.2
- Note Mark instances using OIDC authentication for user registration
- Self-hosted deployments of enchant97/note-mark
Discovery Timeline
- 2026-05-04 - CVE-2026-41571 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-41571
Vulnerability Analysis
The vulnerability resides in the IsPasswordMatch function in backend/db/models.go. The function is responsible for comparing a submitted password against the stored bcrypt hash for a given user. When a user has no stored password hash, the function does not reject the authentication attempt outright. Instead, it substitutes a hard-coded bcrypt hash of the string "null" and performs the comparison against that placeholder.
Note Mark creates OIDC-registered users without local password hashes because authentication is delegated to the identity provider. These accounts therefore satisfy the empty-password condition that triggers the placeholder fallback. The internal username and password login endpoint remains reachable for those accounts. An attacker who knows or guesses an OIDC user's username can authenticate by sending the literal string null as the password and receive a valid session token. The vulnerability is classified under [CWE-287: Improper Authentication].
Root Cause
The root cause is a Use of Hard-coded Credentials pattern combined with insecure default behavior. Authentication logic should fail closed when no credential material is available. Instead, the comparison routine fails open against a known constant, allowing any caller who supplies that constant to authenticate.
Attack Vector
The attack is remote and unauthenticated and requires no user interaction. An attacker enumerates or guesses a valid OIDC username, then issues an HTTP POST request to the internal login endpoint with that username and the password value null. The server returns a valid session, granting full access to the targeted user's notes and account functionality. Refer to the GitHub Security Advisory GHSA-pxf8-6wqm-r6hh for technical details.
Detection Methods for CVE-2026-41571
Indicators of Compromise
- Successful authentication events on the internal login endpoint for users provisioned through OIDC
- HTTP POST requests to the login endpoint containing the literal value null in the password field
- Session creation events for accounts that have never previously used local password authentication
- Unexpected access to notes or account settings from unfamiliar IP addresses for OIDC users
Detection Strategies
- Inspect application logs for login submissions where the password parameter equals the string null
- Correlate local login successes with user records that have empty password_hash fields in the database
- Alert on any OIDC-registered account authenticating through the username and password endpoint rather than the OIDC flow
Monitoring Recommendations
- Forward Note Mark application and reverse proxy logs to a centralized logging or SIEM platform
- Track baseline login behavior per user and flag deviations from the expected OIDC authentication path
- Review session issuance metrics for spikes that coincide with the vulnerable version 0.19.2
How to Mitigate CVE-2026-41571
Immediate Actions Required
- Upgrade Note Mark to version 0.19.3 or later without delay
- Audit user accounts for unauthorized session activity, particularly OIDC-registered users
- Invalidate all existing sessions and force re-authentication after upgrading
- Rotate any sensitive content stored in notes that may have been exposed
Patch Information
The maintainers fixed the vulnerability in version 0.19.3 by removing the hard-coded bcrypt("null") fallback so that users without stored passwords cannot authenticate through the local login endpoint. Download details are available in the GitHub Release v0.19.3 notes.
Workarounds
- Restrict access to the Note Mark instance behind a VPN or authenticated reverse proxy until patching is complete
- Disable the internal username and password login endpoint where feasible, leaving only the OIDC flow active
- Set non-empty placeholder password hashes for all OIDC-registered users to bypass the vulnerable code path as a temporary measure
# Upgrade Note Mark container to the patched release
docker pull ghcr.io/enchant97/note-mark:0.19.3
docker stop note-mark && docker rm note-mark
docker run -d --name note-mark \
-p 8080:8080 \
-v note-mark-data:/data \
ghcr.io/enchant97/note-mark:0.19.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
