CVE-2026-41571 - Vulnerability Details

- Note Mark: OIDC-registered users authenticated by submitting password "null"

Description

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

Published: 2026-05-04

Score: 9.4 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the password validation logic of Note Mark 0.19.2, where IsPasswordMatch falls back to a hard‑coded bcrypt hash of the string "null" when a user record has no stored password. Because OIDC‑registered accounts are created with an empty password, any attacker who submits the password string "null" to the internal login endpoint can obtain a valid authenticated session. The bypass is anonymous, requires no user interaction, and effectively grants an attacker unauthorized access to an OIDC user’s private notes. This is a severe authentication bypass consistent with CWE‑287.

Affected Systems

The affected product is enchant97:note‑mark version 0.19.2. The issue was fixed in version 0.19.3. Only installations of 0.19.2 that support OIDC registration are impacted.

Risk and Exploitability

The CVSS score of 9.4 reflects a critical level of severity. Although an EPSS score is not available, the vulnerability is entirely exploitable without any prerequisites beyond the ability to reach the internal login endpoint. It is not listed in the CISA KEV catalog, but its high severity and the fact that the poach requires no user interaction make it a high‑risk issue for any environment exposing Note Mark to the internet or an internal network. An attacker can obtain unauthorized access to any OIDC‑registered user’s data, leading to confidentiality compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

enchant97

note-mark

affected

Version	Status	Constraints
`= 0.19.2`	affected	—

No data.

Vendor Product Confidence Versions

Enchant97

Note-mark

100%

Version	Status	Scheme	Platform
`0.19.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Note Mark to version 0.19.3 or later to eliminate the hard‑coded "null" password fallback.
As a temporary measure, disable OIDC registration or enforce a password requirement for OIDC users so that empty passwords cannot be created.
Restrict network access to the internal login endpoint to trusted systems or IP ranges to reduce the attack surface.

Generated by OpenCVE AI on May 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/enchant97/note-mark/releases/tag/v0.19.3
https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh

History

Mon, 04 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 04 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enchant97 Enchant97 note-mark
Vendors & Products		Enchant97 Enchant97 note-mark

Mon, 04 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.
Title		Note Mark: OIDC-registered users authenticated by submitting password "null"
Weaknesses		CWE-287
References		https://github.com/enchant97/note-mark/releases/tag/v0.19.3 https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Enchant97 Note-mark

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-04T17:42:32.428Z

Updated: 2026-05-04T20:20:53.632Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41571

Vulnrichment

Updated: 2026-05-04T20:20:41.523Z

NVD

Status : Received

Published: 2026-05-04T18:16:29.600

Modified: 2026-05-04T21:16:31.580

Link: CVE-2026-41571

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:30:02Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object