Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41572

CVE-2026-41572: Note Mark Authentication Bypass Flaw

CVE-2026-41572 is an authentication bypass vulnerability in Note Mark that allows unauthorized access to soft-deleted notes and assets. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-41572 Overview

CVE-2026-41572 is a broken access control vulnerability [CWE-285] in Note Mark, an open-source note-taking application. Versions prior to 0.19.3 fail to enforce soft-delete state on note and asset queries. After an owner soft-deletes a public book, its notes and uploaded assets remain readable through /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who possess the note ID or slug path retain full read access. The flaw originates in GORM's soft-delete scope, which does not propagate to raw JOIN books ... clauses used by note and asset queries. Maintainers fixed the issue in version 0.19.3.

Critical Impact

Unauthenticated remote attackers can read content from soft-deleted public books, exposing notes and uploaded assets that owners believed were removed.

Affected Products

  • Note Mark versions prior to 0.19.3
  • Open-source self-hosted Note Mark deployments
  • Public books and associated assets within affected instances

Discovery Timeline

  • 2026-05-04 - CVE CVE-2026-41572 published to NVD
  • 2026-05-04 - Last updated in NVD database

Technical Details for CVE-2026-41572

Vulnerability Analysis

Note Mark uses GORM, a Go object-relational mapper, to manage database access. GORM provides an automatic soft-delete scope that filters out records with a non-null deleted_at column from standard model queries. The note and asset endpoints retrieve records using raw JOIN books ... SQL clauses rather than GORM's model-level abstractions. The soft-delete scope does not apply to these joins, so deleted books continue to satisfy join conditions during query execution.

The consequence is straightforward. When an owner soft-deletes a public book, the parent record is flagged as deleted, but its child notes and assets remain reachable. Calls to /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints return data as if the book were still active. No authentication is required because the original public book did not require authentication.

Root Cause

The root cause is an incomplete authorization check tied to ORM scope behavior. Soft-delete enforcement in GORM applies only when queries flow through the model's default scope. Raw join clauses bypass that scope and read directly from the underlying tables. The application logic does not include an explicit books.deleted_at IS NULL predicate in the affected queries, so deletion state is never validated at the access layer.

Attack Vector

An unauthenticated attacker who previously captured a note ID or slug path from a public book can continue to read that content after deletion. The attacker issues a standard HTTP GET request to the note, content, slug, or asset endpoint. The server returns the resource because the query joins against the still-present book row without checking its soft-delete flag. Attack complexity is low and requires no user interaction.

No verified exploit code is available. Refer to the GitHub Security Advisory GHSA-3gr9-485j-v4xf for technical details.

Detection Methods for CVE-2026-41572

Indicators of Compromise

  • HTTP GET requests to /api/notes/{id}, /api/notes/{id}/content, or asset endpoints for note IDs that map to soft-deleted books
  • Successful unauthenticated responses for slug URLs that owners have deleted from the user interface
  • Access patterns from clients that retain note IDs collected before deletion events

Detection Strategies

  • Correlate book soft-delete events in application logs with subsequent successful reads on associated note and asset endpoints
  • Run database queries that compare notes.book_id and asset references against books rows where deleted_at IS NOT NULL and flag any read activity
  • Monitor reverse proxy or web server access logs for 200-status responses on note or asset paths after the parent book is removed

Monitoring Recommendations

  • Enable verbose request logging on the Note Mark API and forward events to a centralized logging platform
  • Alert on read traffic to note IDs whose parent book has a non-null deleted_at timestamp
  • Review web application firewall logs for repeated unauthenticated requests to note and asset endpoints

How to Mitigate CVE-2026-41572

Immediate Actions Required

  • Upgrade Note Mark to version 0.19.3 or later, available from the GitHub Release v0.19.3 page
  • Audit existing soft-deleted books and either hard-delete them or rotate the affected note IDs and slugs
  • Review access logs for unauthorized reads against soft-deleted resources and notify affected users if exposure is confirmed

Patch Information

The maintainers patched the issue in Note Mark 0.19.3. The fix updates the affected note and asset queries so that the books.deleted_at IS NULL condition is enforced, aligning the raw join clauses with GORM's soft-delete scope. Patch details are available in the GitHub Security Advisory GHSA-3gr9-485j-v4xf.

Workarounds

  • Hard-delete books instead of soft-deleting them until the upgrade is applied
  • Restrict access to the Note Mark instance behind authentication or network controls to limit unauthenticated reads
  • Apply database-level constraints or views that filter out rows referencing soft-deleted books for read operations
bash
# Configuration example: upgrade Note Mark container to patched version
docker pull ghcr.io/enchant97/note-mark:0.19.3
docker stop note-mark && docker rm note-mark
docker run -d --name note-mark -p 8080:8080 ghcr.io/enchant97/note-mark:0.19.3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.