CVE-2026-41571
Note Mark · Note Mark
A critical authentication bypass vulnerability in Note Mark 0.19.2 allows unauthenticated attackers to gain valid sessions by submitting a hard-coded password string.
Executive summary
Note Mark version 0.19.2 contains a critical authentication bypass vulnerability that allows unauthorized attackers to hijack user sessions without interaction.
Vulnerability
This vulnerability stems from an insecure fallback mechanism in the IsPasswordMatch function, where OIDC-registered users with empty passwords can be bypassed by submitting the string "null". This allows an unauthenticated attacker to successfully authenticate as any user who has not set a custom password.
Business impact
The ability for an unauthenticated attacker to gain full access to user accounts poses a severe risk of data breach and unauthorized information disclosure. Given the CVSS score of 9.4, this vulnerability represents a critical threat to the confidentiality and integrity of all stored notes within the application.
Remediation
Immediate Action: Upgrade the Note Mark application to version 0.19.3 or later to remove the insecure password fallback logic.
Proactive Monitoring: Review authentication logs for anomalous login attempts, specifically searching for the string "null" being used in password fields.
Compensating Controls: If immediate patching is not feasible, restrict access to the internal login endpoint at the network or Web Application Firewall (WAF) level.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability is highly severe due to its ease of exploitation and the lack of required authentication. Organizations utilizing Note Mark 0.19.2 must prioritize the upgrade to version 0.19.3 immediately to prevent unauthorized access and potential data exfiltration.