CVE-2026-40265
Unauthorized Access in Note Mark Asset Download Endpoint
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mark | note_mark | to 0.19.2 (exc) |
| mark | note_mark | 0.19.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The issue is that the asset download endpoint (/api/notes/{noteID}/assets/{assetID}) does not have authentication middleware and does not verify whether the user owns the note or if the book containing the note is visible to them. As a result, an unauthenticated user who knows a valid note ID and asset ID can access and download private note assets without any authentication, regardless of the privacy settings of the associated book.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of private note assets. An attacker who knows valid note and asset IDs can access sensitive or confidential information stored in private notes without any authentication. This could result in data breaches, loss of privacy, and exposure of sensitive information to unauthorized parties.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the issue has been fixed.
Until the upgrade can be performed, restrict access to the /api/notes/{noteID}/assets/{assetID} endpoint to authenticated users only, and ensure proper ownership and visibility checks are enforced.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users to access private note assets without any authentication or ownership verification. Such unauthorized access to private data could potentially lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over access to personal or sensitive information.
However, the provided information does not explicitly mention compliance impacts or regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Note Mark application version is 0.19.1 or earlier, as these versions have an unauthenticated asset download endpoint.
To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the endpoint pattern /api/notes/{noteID}/assets/{assetID} without authentication.
Example commands to detect such requests in web server logs or via network traffic capture include:
- Using grep on web server logs to find access to the vulnerable endpoint: grep "/api/notes/" /var/log/nginx/access.log
- Using tcpdump to capture HTTP requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/api/notes/"
- Using curl to test if the endpoint is accessible without authentication (replace noteID and assetID with valid values): curl -i http://yourserver/api/notes/{noteID}/assets/{assetID}