Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.
AnalysisAI
Cross-site request forgery (CSRF) in Open Notebook v1.8.1 enables remote attackers to manipulate or delete database entries through social engineering attacks. The vulnerability combines input validation flaws (CWE-20) with overly permissive default CORS settings, allowing malicious sites to send authenticated requests on behalf of legitimate users. Attackers craft malicious URLs that, when clicked by authenticated users, execute unauthorized database operations including data modification, deletion, and potential exfiltration depending on deployment configuration. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
Open Notebook is a note-taking and knowledge management application. This vulnerability stems from inadequate input validation (CWE-20: Improper Input Validation) combined with misconfigured Cross-Origin Resource Sharing (CORS) policies. CORS controls which external domains can make cross-origin HTTP requests to a web application. When CORS is overly permissive (accepting requests from arbitrary origins), it enables Cross-Site Request Forgery attacks where malicious websites can send authenticated API requests to the vulnerable application using the victim's browser credentials (cookies, session tokens). The improper input validation component suggests that API endpoints lack server-side validation to verify request legitimacy beyond origin checks, allowing malformed or malicious payloads to trigger unintended database operations. The CVSS 4.0 vector indicates network-based attack (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges needed (PR:N), but requires user interaction (UI:P), with high impacts to confidentiality, integrity, and availability within the vulnerable system scope.
RemediationAI
Upgrade Open Notebook to a patched version as specified in the GitHub Security Advisory (https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c). The advisory should contain specific fix version and upgrade instructions. Until patching is possible, implement CSRF token validation on all state-changing API endpoints to verify request legitimacy - this requires code modification but provides strong protection. Configure CORS policies to restrict allowed origins to only trusted domains explicitly required for legitimate cross-origin functionality, replacing any wildcard (*) origin configurations. Deploy SameSite cookie attributes (SameSite=Strict or SameSite=Lax) for session cookies to prevent browsers from sending credentials with cross-site requests, though this may break legitimate cross-domain integrations. Implement server-side input validation on all API endpoints accepting database operations, validating data types, ranges, and business logic constraints. Note that CORS tightening may break existing integrations if third-party services legitimately access the API - document allowed origins before restricting. Consider deploying a Web Application Firewall (WAF) with CSRF detection rules as a temporary compensating control, though this provides only partial mitigation.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28345
GHSA-44mq-cghw-wf5x