HedgeDoc
CVE-2026-58489
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker needs no privileges; victim must click crafted link (UI:R); scope changes as note content crosses to attacker's GitHub Gist (S:C); AC:H reflects need for attacker's own valid OAuth code.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2 state value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.
AnalysisAI
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target HedgeDoc instance must have GitHub OAuth integration configured with valid clientID and clientSecret, enabling the Gist export feature; (2) the victim must be actively authenticated to HedgeDoc at the time of the attack; and (3) the victim must click a specifically crafted callback URL delivered by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.8 reflects meaningful real-world risk constrained by exploitation complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker authenticates to their own GitHub account and initiates an OAuth authorization flow to obtain a valid GitHub authorization code. They then construct a forged HedgeDoc Gist export callback URL - pointing to `/auth/github/callback/<victim-note-id>/gist` - embedding their own valid code and any arbitrary state string. … |
| Remediation | Upgrade HedgeDoc to version 1.11.0, which introduces proper session-bound OAuth2 state validation in the Gist export callback handler (commit fbd7307f162754212046ec343cbe691223a48c8d). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerabilit
HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerabi
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this
HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CV
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0)
HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), t
Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "ali
HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerabilit
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force prot
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today