CVE-2026-41571

Note Mark · Note Mark

A critical authentication bypass vulnerability in Note Mark 0.19.2 allows unauthenticated attackers to gain valid sessions by submitting a hard-coded password string.

Executive summary

Note Mark version 0.19.2 contains a critical authentication bypass vulnerability that allows unauthorized attackers to hijack user sessions without interaction.

Vulnerability

This vulnerability stems from an insecure fallback mechanism in the IsPasswordMatch function, where OIDC-registered users with empty passwords can be bypassed by submitting the string "null". This allows an unauthenticated attacker to successfully authenticate as any user who has not set a custom password.

Business impact

The ability for an unauthenticated attacker to gain full access to user accounts poses a severe risk of data breach and unauthorized information disclosure. Given the CVSS score of 9.4, this vulnerability represents a critical threat to the confidentiality and integrity of all stored notes within the application.

Remediation

Immediate Action: Upgrade the Note Mark application to version 0.19.3 or later to remove the insecure password fallback logic.

Proactive Monitoring: Review authentication logs for anomalous login attempts, specifically searching for the string "null" being used in password fields.

Compensating Controls: If immediate patching is not feasible, restrict access to the internal login endpoint at the network or Web Application Firewall (WAF) level.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

This vulnerability is highly severe due to its ease of exploitation and the lack of required authentication. Organizations utilizing Note Mark 0.19.2 must prioritize the upgrade to version 0.19.3 immediately to prevent unauthorized access and potential data exfiltration.