CVE-2026-41572
Deferred Deferred - Pending Action
Note Soft-Delete Bypass in Mark Application

Publication date: 2026-05-04

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41572
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
note_mark note_mark 0.19.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated access to notes and uploaded assets that were intended to be soft-deleted by the owner of a public book. Because the data remains accessible despite deletion attempts, this could lead to unauthorized disclosure of potentially sensitive information.

Such unauthorized data exposure may conflict with compliance requirements in standards and regulations like GDPR and HIPAA, which mandate proper data deletion and protection of personal or sensitive information.

However, the CVE description does not explicitly mention compliance impacts or specific regulatory considerations.

Executive Summary

This vulnerability affects Note Mark, an open-source note-taking application. Before version 0.19.3, when the owner of a public book soft-deletes it, the notes and uploaded assets within that book remain accessible. Specifically, unauthenticated users who know the note ID or the slug URL can still access the notes and assets through various API endpoints and URLs.

The root cause is that the soft-delete mechanism in the database ORM (GORM) does not apply correctly to certain raw SQL queries involving JOINs used to fetch notes and assets, allowing these deleted items to remain readable.

This issue was fixed in version 0.19.3 of Note Mark.

Impact Analysis

This vulnerability can lead to unauthorized access to notes and uploaded assets that the owner intended to delete or hide by soft-deleting a public book. Since unauthenticated users can still access this content if they have the note ID or slug URL, sensitive or private information may be exposed unintentionally.

The impact is limited to information disclosure (confidentiality), as the vulnerability does not affect integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Note Mark to version 0.19.3 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41572. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart