CVE-2026-28201
Improper Input Validation and CORS Misconfiguration in Open Notebook
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfnovo | open_notebook | to 1.8.3 (exc) |
| lfnovo | open_notebook | 1.8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-28201 vulnerability is a SurrealDB injection flaw in the open-notebook application version 1.8.1. It arises from improper input validation of the `order_by` parameter in the GET /api/notebooks endpoint, where user input is directly inserted into a SurrealQL query without sanitization.
This flaw allows a remote attacker to craft a malicious URL that, when clicked by a legitimate user, can inject harmful database commands. This can lead to unauthorized creation, modification, or deletion of database entries.
Additionally, an overly permissive default CORS configuration can enable data exfiltration depending on how the application is deployed.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized alteration or deletion of database records, which compromises data integrity and availability.
Because exploitation requires no privileges and only a user clicking a malicious URL (CSRF), it is relatively easy for attackers to execute.
Furthermore, due to the default overly permissive CORS settings, attackers may also be able to exfiltrate sensitive data from the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves an unsanitized `order_by` parameter in the GET /api/notebooks endpoint that allows SurrealDB injection via a specially crafted URL. Detection can focus on monitoring HTTP requests to this endpoint for suspicious or unusual `order_by` parameter values that may contain injection attempts.
Network or system detection could include inspecting web server logs or using tools to capture and analyze HTTP GET requests to /api/notebooks, looking for unexpected or malicious input patterns in the `order_by` parameter.
Example commands to detect suspicious requests might include:
- Using grep on web server logs to find requests to the vulnerable endpoint: `grep "/api/notebooks" /var/log/nginx/access.log`
- Filtering for suspicious `order_by` parameters that include special characters or SQL keywords: `grep -i "order_by=.*(select|union|insert|delete|update)" /var/log/nginx/access.log`
- Using network traffic capture tools like tcpdump or Wireshark to filter HTTP GET requests to the endpoint and analyze parameters.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade the Open Notebook application to version 1.8.3 or later, where the vulnerability has been patched.
Additionally, reviewing and tightening CORS configurations to avoid overly permissive defaults can reduce the risk of data exfiltration.
As a temporary measure, restricting access to the /api/notebooks endpoint or disabling it if not needed can help mitigate exploitation.
Implementing web application firewall (WAF) rules to detect and block suspicious input patterns in the `order_by` parameter may also help reduce risk until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to alter or delete arbitrary database entries and potentially exfiltrate data due to improper input validation and overly permissive CORS settings.
Such unauthorized data manipulation and exfiltration can lead to breaches of confidentiality, integrity, and availability of sensitive data.
Consequently, this can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over data access, integrity, and privacy.