CVE-2026-28201
Analyzed Analyzed - Analysis Complete
Improper Input Validation and CORS Misconfiguration in Open Notebook

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: ENISA

Description
An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28201
EUVD
EUVD-2026-28345
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfnovo open-notebook to 1.8.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-28201 vulnerability is a SurrealDB injection flaw in the open-notebook application version 1.8.1. It arises from improper input validation of the `order_by` parameter in the GET /api/notebooks endpoint, where user input is directly inserted into a SurrealQL query without sanitization.

This flaw allows a remote attacker to craft a malicious URL that, when clicked by a legitimate user, can inject harmful database commands. This can lead to unauthorized creation, modification, or deletion of database entries.

Additionally, an overly permissive default CORS configuration can enable data exfiltration depending on how the application is deployed.

Impact Analysis

This vulnerability can have severe impacts including unauthorized alteration or deletion of database records, which compromises data integrity and availability.

Because exploitation requires no privileges and only a user clicking a malicious URL (CSRF), it is relatively easy for attackers to execute.

Furthermore, due to the default overly permissive CORS settings, attackers may also be able to exfiltrate sensitive data from the application.

Detection Guidance

The vulnerability involves an unsanitized `order_by` parameter in the GET /api/notebooks endpoint that allows SurrealDB injection via a specially crafted URL. Detection can focus on monitoring HTTP requests to this endpoint for suspicious or unusual `order_by` parameter values that may contain injection attempts.

Network or system detection could include inspecting web server logs or using tools to capture and analyze HTTP GET requests to /api/notebooks, looking for unexpected or malicious input patterns in the `order_by` parameter.

Example commands to detect suspicious requests might include:

  • Using grep on web server logs to find requests to the vulnerable endpoint: `grep "/api/notebooks" /var/log/nginx/access.log`
  • Filtering for suspicious `order_by` parameters that include special characters or SQL keywords: `grep -i "order_by=.*(select|union|insert|delete|update)" /var/log/nginx/access.log`
  • Using network traffic capture tools like tcpdump or Wireshark to filter HTTP GET requests to the endpoint and analyze parameters.
Mitigation Strategies

The primary immediate mitigation step is to upgrade the Open Notebook application to version 1.8.3 or later, where the vulnerability has been patched.

Additionally, reviewing and tightening CORS configurations to avoid overly permissive defaults can reduce the risk of data exfiltration.

As a temporary measure, restricting access to the /api/notebooks endpoint or disabling it if not needed can help mitigate exploitation.

Implementing web application firewall (WAF) rules to detect and block suspicious input patterns in the `order_by` parameter may also help reduce risk until the patch is applied.

Compliance Impact

The vulnerability allows attackers to alter or delete arbitrary database entries and potentially exfiltrate data due to improper input validation and overly permissive CORS settings.

Such unauthorized data manipulation and exfiltration can lead to breaches of confidentiality, integrity, and availability of sensitive data.

Consequently, this can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over data access, integrity, and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart