CVE-2026-41571
Received Received - Intake
Authentication Bypass in Note Mark via Hardcoded Password

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: GitHub, Inc.

Description
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41571
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
note_mark note_mark to 0.19.3 (exc)
note_mark note_mark 0.19.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Note Mark version 0.19.2, an open-source note-taking application. The function IsPasswordMatch in the backend falls back to a hard-coded bcrypt("null") placeholder when a user has no stored password. For OIDC-registered users, who are created with an empty password, submitting the password "null" to the internal login endpoint grants a valid session for that user without authentication or user interaction.

Impact Analysis

This vulnerability allows an attacker to bypass authentication and gain unauthorized access to user accounts simply by submitting the password "null". Since the bypass requires no authentication or user interaction, it poses a high risk of account compromise, potentially leading to data exposure, unauthorized actions, and loss of integrity and availability within the application.

Mitigation Strategies

The vulnerability has been patched in Note Mark version 0.19.3. The immediate step to mitigate this vulnerability is to upgrade your Note Mark installation to version 0.19.3 or later.

This patch fixes the issue where OIDC-registered users with empty passwords could be authenticated by submitting the password "null".

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and gain valid sessions for users without needing a password. This leads to a high impact on confidentiality, integrity, and availability of user data.

Such unauthorized access could result in exposure or modification of sensitive personal or health information, potentially violating data protection regulations such as GDPR and HIPAA that require strict access controls and protection of user data.

Therefore, this vulnerability could negatively affect compliance with these standards by undermining the security controls mandated to protect sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart