Skip to main content

note-mark CVE-2026-50554

MEDIUM
Information Exposure (CWE-200)
2026-07-09 https://github.com/enchant97/note-mark GHSA-588f-fvcv-xhvf
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network endpoint, no complexity; confidentiality impact is Low because only note metadata - not body content - is disclosed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 14:35 vuln.today

DescriptionGitHub Advisory

Summary

GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner_id = ? OR is_public = ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book - notes the owner explicitly deleted and expected to be removed from public view.

Affected component (code-verified)

backend/services/notes.go - GetNotesByBookID (lines 72-89):

func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() // <-- bypasses soft-delete scope } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID), db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true), // <-- is_public still honored for trash ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(&notes).Error) }

Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled (backend/handlers/notes.go:86 - Deleted bool with query:"deleted").

Proof of concept

  1. A victim owns a public book (is_public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with

deleted_at set.

  1. An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books/<bookID>/notes?deleted=true
  2. The response lists the soft-deleted note(s) - id, title, slug, timestamps - even though the attacker is not authenticated and the owner

intended the note to be deleted.

Impact

Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed - the content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore limited to metadata disclosure and the bypass of the intended "delete" semantics on public books.

Remediation

Restrict trash (soft-deleted) listings to the book owner only - never honor the is_public branch when deleted=true:

func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() } + // Soft-deleted ("trash") notes must only ever be listed to the book owner. + authz := db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true) + if deleted { + authz = db.DB.Where("owner_id = ?", currentUserID) + } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID),

  • db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true),

+ authz, ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(&notes).Error) }

With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner_id = NULL, which matches nothing - so trash is never exposed to anonymous callers.

Coordinated disclosure / CVE request

We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security vulnerability, we would be grateful if you could request a CVE ID for it - GitHub lets maintainers request a CVE directly from this advisory page once it is accepted. Thank you for your time and for maintaining note-mark.

References

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-285: Improper Authorization
  • Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner_id OR is_public; this report covers the trash

path that the scope did not fully cover.

---

AnalysisAI

{bookID}/notes carries no authentication middleware, and supplying ?deleted=true causes the service to invoke GORM's Unscoped() while retaining the is_public=true authorization branch, allowing any network-accessible actor to retrieve titles, slugs, and timestamps of notes an owner deliberately deleted from a public book. No active exploitation is confirmed (not listed in CISA KEV), though a fully functional proof of concept is embedded in the vendor advisory, and exploitation requires only a single crafted HTTP GET request.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public book UUID
Exploit
Send GET /api/books/<UUID>/notes?deleted=true unauthenticated
Execution
Service invokes Unscoped() with is_public=true branch
Impact
Response returns soft-deleted note metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target note-mark instance must have at least one book with is_public = true; (2) the attacker must know or be able to enumerate a valid UUID for that public book; (3) the deployment must be running the unpatched version of GetNotesByBookID. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) is consistent with the description: fully unauthenticated, zero-complexity network exploitation, but confidentiality impact is correctly bounded to Low because only metadata fields (title, slug, timestamps) leak - note body content is protected by a separate endpoint that does not use Unscoped() and returns 404 for soft-deleted notes. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies or enumerates a valid UUID for a public book in a note-mark instance - for example, by browsing the public-facing book list. The attacker then issues a single HTTP GET request to /api/books/<UUID>/notes?deleted=true and receives a JSON array containing the titles, slugs, and deletion timestamps of notes the book owner moved to trash, exposing information the owner expected to be permanently removed from public view. …
Remediation The vendor has issued a patch via commit 9c9b72740f22a06131a8f64b53bb08e3b05b81a6 (https://github.com/enchant97/note-mark/commit/9c9b72740f22a06131a8f64b53bb08e3b05b81a6), which restricts the authorization clause to owner_id = ? … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy