Skip to main content

HedgeDoc CVE-2026-58489

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-13 GitHub_M
6.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Attacker needs no privileges; victim must click crafted link (UI:R); scope changes as note content crosses to attacker's GitHub Gist (S:C); AC:H reflects need for attacker's own valid OAuth code.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 23:16 vuln.today
Analysis Generated
Jul 13, 2026 - 23:16 vuln.today

DescriptionCVE.org

HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2  state  value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.

AnalysisAI

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains own GitHub OAuth code
Delivery
Craft forged HedgeDoc callback URL with attacker code
Exploit
Deliver crafted link to logged-in victim
Execution
Victim clicks link, HedgeDoc validates victim session
Persist
HedgeDoc exchanges attacker code for attacker GitHub token
Impact
Victim's note exported to attacker's Gist

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target HedgeDoc instance must have GitHub OAuth integration configured with valid clientID and clientSecret, enabling the Gist export feature; (2) the victim must be actively authenticated to HedgeDoc at the time of the attack; and (3) the victim must click a specifically crafted callback URL delivered by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.8 reflects meaningful real-world risk constrained by exploitation complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker authenticates to their own GitHub account and initiates an OAuth authorization flow to obtain a valid GitHub authorization code. They then construct a forged HedgeDoc Gist export callback URL - pointing to `/auth/github/callback/<victim-note-id>/gist` - embedding their own valid code and any arbitrary state string. …
Remediation Upgrade HedgeDoc to version 1.11.0, which introduces proper session-bound OAuth2 state validation in the Gist export callback handler (commit fbd7307f162754212046ec343cbe691223a48c8d). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-26287 HIGH POC
8.7 Dec 29

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerabilit

CVE-2023-38487 HIGH POC
8.2 Aug 04

HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerabi

CVE-2024-45308 MEDIUM POC
6.5 Sep 02

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this

CVE-2021-21259 MEDIUM POC
6.1 Jan 22

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CV

CVE-2021-29475 CRITICAL
10.0 Apr 26

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0)

CVE-2021-29474 MEDIUM POC
5.8 Apr 26

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), t

CVE-2026-58486 HIGH
8.3 Jul 13

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "ali

CVE-2020-26286 HIGH
7.5 Dec 29

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2026-58488 MEDIUM
6.9 Jul 13

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force prot

CVE-2025-32391 MEDIUM
6.4 Apr 10

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this

CVE-2021-39175 MEDIUM
6.1 Aug 30

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp

CVE-2021-29503 MEDIUM
6.1 May 19

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp

Share

CVE-2026-58489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy