Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
No minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte.
HS256 secrets below 32 bytes are brute-forceable offline, allowing attackers to recover the signing key and forge valid JWTs for arbitrary users.
---
Impact
An attacker who captures a single valid JWT (e.g, from cookies, logs, or network traffic) can:
\> Crack the signing secret offline using brute-force or wordlist attacks \> Forge valid JWTs for any user ID (including administrators) \> Authenticate without knowing any credentials
This results in full account takeover across the entire application with no server-side detection or rate limiting possible.
---
Details
In backend/config/utils.go, the Base64Decoded.UnmarshalText function decodes the JWT secret but does not validate its length or entropy.
In backend/core/auth.go, JWT tokens are signed using HS256 without enforcing minimum key size requirements.
According to RFC 7518 Section 3.2, HS256 keys must be at least 256 bits (32 bytes). Libraries such as PyJWT explicitly warn against shorter keys, but note-mark performs no such validation.
---
PoC
1- Deploy note-mark with a weak secret:
JWT_SECRET = base64("testsecret123456789012345")2- Register an account and capture the Auth-Session-Token cookie
3- Crack the secret offline (example using Python):
import jwt, base64
jwt.decode(TOKEN, base64.b64decode(SECRET), algorithms=["HS256"])4- Forge a new token for any user UUID with extended expiry
5- Send the forged token in requests → server returns 200 Ok and authenticates as that user
---
Reproduction Steps
1- Deploy the application with a JWT secret shorter than 32 bytes (after base64 decoding) 2- Authenticate and capture a valid JWT 3- Perform offline brute-force or dictionary attack against the token signature 4- Recover the secret 5- Generate a forged JWT for another user 6- Use the forged token to access protected endpoints
---
Fix Recommendation
- Enforce a minimum of 32 bytes (256 bits) for JWT secrets after base64 decoding
- Reject weak secrets during configuration parsing (e.g., in
Base64Decoded.UnmarshalTextor config validation) - Optionally log warnings or fail startup if the secret is insecure
---
Resources
- RFC 7518 Section 3.2 (JSON Web Algorithms - HMAC key size requirements)
- CWE-326: Inadequate Encryption Strength
- CWE-345: Insufficient Verification of Data Authenticity
---
AnalysisAI
JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.
Technical ContextAI
The vulnerability affects the JWT implementation in Note Mark's Go backend (pkg:go/github.com_enchant97_note-mark_backend). JWT (JSON Web Token) authentication uses cryptographic signatures to verify token authenticity without server-side session state. Note Mark implements HS256 (HMAC-SHA256), a symmetric signing algorithm where the same secret both signs and validates tokens. RFC 7518 Section 3.2 mandates minimum 256-bit (32-byte) keys for HS256 because shorter secrets are vulnerable to brute-force attacks - an attacker with a valid token can test billions of candidate secrets offline until finding one that produces a matching signature. The flaw maps to CWE-326 (Inadequate Encryption Strength) because config/utils.go's Base64Decoded.UnmarshalText function performs base64 decoding without length validation, and core/auth.go signs tokens with whatever key is provided. The patch adds a validate:"gte=32" constraint in config/config.go to enforce the 32-byte minimum during application startup, causing misconfigured deployments to fail safely rather than operate insecurely.
RemediationAI
Upgrade to Note Mark v0.19.4 or apply commit 18b587758667 from https://github.com/enchant97/note-mark/commit/18b58775866776ed400c403dd0ccad68c1fa4802. The patch adds validation requiring JWT_SECRET to decode to minimum 32 bytes, causing application startup to fail if the secret is weak. After upgrading, generate a new cryptographically strong secret (minimum 32 random bytes, base64-encoded) and update the JWT_SECRET environment variable - example: openssl rand -base64 32. Rotate the secret immediately if current value is under 32 bytes, as any previously issued tokens signed with the weak secret can be forged. Secret rotation invalidates all existing user sessions, requiring re-authentication. For unpatched systems awaiting upgrade, no effective workaround exists because the vulnerability is in core authentication logic - compensating controls (network segmentation, JWT expiry reduction) only limit attack surface but do not prevent token forgery if the secret is weak. Audit application logs for unexpected authentication patterns (admin logins from unusual IPs, token reuse across sessions) as potential indicators of forged tokens. Full advisory: https://github.com/enchant97/note-mark/security/advisories/GHSA-q6mh-rqwh-g786.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-326 – Inadequate Encryption Strength
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30367
GHSA-q6mh-rqwh-g786