CVE-2026-41572: CWE-285: Improper Authorization in enchant97 note-mark
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
AI Analysis
Technical Summary
Note-mark versions before 0.19.3 suffer from an improper authorization vulnerability (CWE-285) where soft-deleted public books' notes and assets remain accessible to unauthenticated users. The root cause is that GORM's soft-delete scope is not applied to raw SQL JOIN queries used in note and asset retrieval, allowing continued access via endpoints such as /api/notes/{id} and slug URLs. This enables unauthorized read access to content that should be logically deleted. The vulnerability has been addressed in note-mark version 0.19.3.
Potential Impact
An attacker or unauthenticated user who knows the note ID or slug path can access notes and uploaded assets from soft-deleted public books, violating data confidentiality. There is no impact on integrity or availability. The exposure is limited to read-only access of data that should have been inaccessible after soft deletion.
Mitigation Recommendations
This vulnerability has been patched in note-mark version 0.19.3. Users should upgrade to version 0.19.3 or later to remediate this issue. No other mitigation is indicated or required.
CVE-2026-41572: CWE-285: Improper Authorization in enchant97 note-mark
Description
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Note-mark versions before 0.19.3 suffer from an improper authorization vulnerability (CWE-285) where soft-deleted public books' notes and assets remain accessible to unauthenticated users. The root cause is that GORM's soft-delete scope is not applied to raw SQL JOIN queries used in note and asset retrieval, allowing continued access via endpoints such as /api/notes/{id} and slug URLs. This enables unauthorized read access to content that should be logically deleted. The vulnerability has been addressed in note-mark version 0.19.3.
Potential Impact
An attacker or unauthenticated user who knows the note ID or slug path can access notes and uploaded assets from soft-deleted public books, violating data confidentiality. There is no impact on integrity or availability. The exposure is limited to read-only access of data that should have been inaccessible after soft deletion.
Mitigation Recommendations
This vulnerability has been patched in note-mark version 0.19.3. Users should upgrade to version 0.19.3 or later to remediate this issue. No other mitigation is indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T14:15:21.957Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8e3e0cbff5d86103e465f
Added to database: 5/4/2026, 6:22:24 PM
Last enriched: 5/4/2026, 6:36:44 PM
Last updated: 5/4/2026, 9:31:17 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.