Description
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.
Published: 2026-05-14
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Note Mark stores session identifiers as JSON Web Tokens encrypted with a user‑defined JWT_SECRET. Prior to version 0.19.4 the secret configuration accepts any base64‑decodable value, including secrets as small as one byte. The lack of a minimum length or entropy requirement allows an adversary to guess or brute‑force the secret. It is inferred that an attacker who discovers a valid secret can generate tokens that authenticate as any user, thereby granting full access to application data. This weakness is characterized by CWE-326 (Improper Key Size or Strength) and CWE-345 (Missing Authentication).

Affected Systems

All releases of Note Mark from earlier than 0.19.4 are affected. The vendor is enchant97:note‑mark. Any deployment that uses the default or a user‑defined short JWT_SECRET in those pre‑0.19.4 builds is vulnerable.

Risk and Exploitability

The CVSS score of 10 flags this flaw as critically severe. EPSS is not available, but the absence of protection against brute force attempts implies a realistic exploitation window. The vulnerability is not listed in CISA KEV. It is inferred that the attack vector involves forging JWT tokens by exploiting the weak secret enforcement, leading to unrestricted account takeover.

Generated by OpenCVE AI on May 14, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Note Mark 0.19.4 or later to enforce secret length and entropy requirements.
  • Configure JWT_SECRET with a high‑entropy value (at least 32 random characters) to mitigate brute‑force attacks.
  • Invalidate all existing JWT tokens and rotate the secret immediately after applying the patch to stop sessions that might already be compromised.

Generated by OpenCVE AI on May 14, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6mh-rqwh-g786 Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Enchant97
Enchant97 note-mark
Vendors & Products Enchant97
Enchant97 note-mark

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.
Title Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery
Weaknesses CWE-326
CWE-345
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Enchant97 Note-mark
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:55:08.782Z

Reserved: 2026-05-06T19:38:10.566Z

Link: CVE-2026-44523

cve-icon Vulnrichment

Updated: 2026-05-15T14:53:34.792Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:37.470

Modified: 2026-05-15T15:16:52.960

Link: CVE-2026-44523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:15:16Z

Weaknesses