CVE-2026-40263: CWE-208: Observable Timing Discrepancy in enchant97 note-mark
CVE-2026-40263 is a timing discrepancy vulnerability in the login endpoint of the open-source note-taking application Note Mark (versions 0. 19. 1 and earlier). The application performs bcrypt password verification only when the username exists, returning immediately otherwise. This behavior allows unauthenticated attackers to enumerate valid usernames by measuring response times. The issue is fixed in version 0. 19. 2. The vulnerability has a low severity score and no known exploits in the wild.
AI Analysis
Technical Summary
Note Mark versions prior to 0.19.2 have a timing side-channel vulnerability (CWE-208) in the login process. When a login attempt is made, the system performs bcrypt password verification only if the username exists; if the username does not exist, the response returns immediately. This timing difference can be measured by an attacker to enumerate valid usernames, facilitating targeted credential attacks. The vulnerability is addressed in version 0.19.2.
Potential Impact
The vulnerability allows unauthenticated attackers to determine valid usernames by measuring response times from the login endpoint. This information disclosure can aid attackers in focusing credential-based attacks on valid accounts. The confidentiality impact is low, with no direct impact on integrity or availability. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade Note Mark to version 0.19.2 or later, where this timing discrepancy issue has been fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. No additional mitigation steps are indicated.
CVE-2026-40263: CWE-208: Observable Timing Discrepancy in enchant97 note-mark
Description
CVE-2026-40263 is a timing discrepancy vulnerability in the login endpoint of the open-source note-taking application Note Mark (versions 0. 19. 1 and earlier). The application performs bcrypt password verification only when the username exists, returning immediately otherwise. This behavior allows unauthenticated attackers to enumerate valid usernames by measuring response times. The issue is fixed in version 0. 19. 2. The vulnerability has a low severity score and no known exploits in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Note Mark versions prior to 0.19.2 have a timing side-channel vulnerability (CWE-208) in the login process. When a login attempt is made, the system performs bcrypt password verification only if the username exists; if the username does not exist, the response returns immediately. This timing difference can be measured by an attacker to enumerate valid usernames, facilitating targeted credential attacks. The vulnerability is addressed in version 0.19.2.
Potential Impact
The vulnerability allows unauthenticated attackers to determine valid usernames by measuring response times from the login endpoint. This information disclosure can aid attackers in focusing credential-based attacks on valid accounts. The confidentiality impact is low, with no direct impact on integrity or availability. There are no known exploits in the wild.
Mitigation Recommendations
Upgrade Note Mark to version 0.19.2 or later, where this timing discrepancy issue has been fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1786e82d89c981fe335c5
Added to database: 4/17/2026, 12:01:50 AM
Last enriched: 4/17/2026, 12:17:03 AM
Last updated: 4/17/2026, 1:18:24 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.