CVE-2026-40265
Received Received - Intake
Unauthorized Access in Note Mark Asset Download Endpoint

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40265
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mark note_mark to 0.19.2 (exc)
mark note_mark 0.19.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The issue is that the asset download endpoint (/api/notes/{noteID}/assets/{assetID}) does not have authentication middleware and does not verify whether the user owns the note or if the book containing the note is visible to them. As a result, an unauthenticated user who knows a valid note ID and asset ID can access and download private note assets without any authentication, regardless of the privacy settings of the associated book.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private note assets. An attacker who knows valid note and asset IDs can access sensitive or confidential information stored in private notes without any authentication. This could result in data breaches, loss of privacy, and exposure of sensitive information to unauthorized parties.

Mitigation Strategies

To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the issue has been fixed.

Until the upgrade can be performed, restrict access to the /api/notes/{noteID}/assets/{assetID} endpoint to authenticated users only, and ensure proper ownership and visibility checks are enforced.

Compliance Impact

This vulnerability allows unauthenticated users to access private note assets without any authentication or ownership verification. Such unauthorized access to private data could potentially lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over access to personal or sensitive information.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability can be detected by checking if the Note Mark application version is 0.19.1 or earlier, as these versions have an unauthenticated asset download endpoint.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the endpoint pattern /api/notes/{noteID}/assets/{assetID} without authentication.

Example commands to detect such requests in web server logs or via network traffic capture include:

  • Using grep on web server logs to find access to the vulnerable endpoint: grep "/api/notes/" /var/log/nginx/access.log
  • Using tcpdump to capture HTTP requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/api/notes/"
  • Using curl to test if the endpoint is accessible without authentication (replace noteID and assetID with valid values): curl -i http://yourserver/api/notes/{noteID}/assets/{assetID}
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart