Description
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Note Mark, a note‑taking application, had a flaw in its handling of soft‑deleted public books. Prior to version 0.19.3, deleting a public book did not hide its notes or assets; the API endpoints /api/notes/{id}, /api/notes/{id}/content, the slug URL, and asset links continued to return data. An attacker who learns a note identifier or a book slug can retrieve personal or business information without authentication, exposing confidential data. The weakness stems from GORM’s soft‑delete scope not applying to custom JOIN queries, identified as CWE‑285: Improper Access Control.

Affected Systems

The product affected is Note Mark (enchant97:note-mark). Any installation running a version older than 0.19.3 is vulnerable. Version 0.19.3 and later contain the fix that prevents access to notes of soft‑deleted public books.

Risk and Exploitability

The CVSS score is 5.3, indicating medium impact. EPSS is not available, and the vulnerability is not in CISA KEV, marking it as a moderate risk. Because the flaw is exposed through public API endpoints, an unauthenticated attacker can retrieve data simply by requesting known URLs. No additional software or privilege escalation is required.

Generated by OpenCVE AI on May 4, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Note Mark to version 0.19.3 or later to apply the security fix.
  • If an upgrade is not yet possible, restrict unauthenticated access to the /api/notes/* and asset endpoints by configuring the reverse proxy or firewall to allow requests only from authenticated users or specific IP ranges.
  • Remove or delete any soft‑deleted public books whose notes and assets remain exposed, so that the content is no longer available via the API.

Generated by OpenCVE AI on May 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Enchant97
Enchant97 note-mark
Vendors & Products Enchant97
Enchant97 note-mark

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
Title Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Enchant97 Note-mark
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:39:55.331Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41572

cve-icon Vulnrichment

Updated: 2026-05-04T19:39:51.722Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:29.763

Modified: 2026-05-04T20:16:18.750

Link: CVE-2026-41572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:07Z

Weaknesses