CVE-2026-41571
Authentication Bypass in Note Mark via Hardcoded Password
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| note_mark | note_mark | to 0.19.3 (exc) |
| note_mark | note_mark | 0.19.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Note Mark version 0.19.2, an open-source note-taking application. The function IsPasswordMatch in the backend falls back to a hard-coded bcrypt("null") placeholder when a user has no stored password. For OIDC-registered users, who are created with an empty password, submitting the password "null" to the internal login endpoint grants a valid session for that user without authentication or user interaction.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication and gain unauthorized access to user accounts simply by submitting the password "null". Since the bypass requires no authentication or user interaction, it poses a high risk of account compromise, potentially leading to data exposure, unauthorized actions, and loss of integrity and availability within the application.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Note Mark version 0.19.3. The immediate step to mitigate this vulnerability is to upgrade your Note Mark installation to version 0.19.3 or later.
This patch fixes the issue where OIDC-registered users with empty passwords could be authenticated by submitting the password "null".
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to bypass authentication and gain valid sessions for users without needing a password. This leads to a high impact on confidentiality, integrity, and availability of user data.
Such unauthorized access could result in exposure or modification of sensitive personal or health information, potentially violating data protection regulations such as GDPR and HIPAA that require strict access controls and protection of user data.
Therefore, this vulnerability could negatively affect compliance with these standards by undermining the security controls mandated to protect sensitive information.