Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-588f-fvcv-xhvf: Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books

0
Medium
Published: 07/09/2026 (07/09/2026, 13:41:29 UTC)
Source: GCVE Database
Product: github.com/enchant97/note-mark/backend

Description

Summary GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner_id = ? OR is_public = ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book — notes the owner explicitly deleted and expected to be removed from public view. Affected component (code-verified) backend/services/notes.go — GetNotesByBookID (lines 72-89): func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() // <-- bypasses soft-delete scope } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID), db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true), // <-- is_public still honored for trash ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(&notes).Error) } Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled (backend/handlers/notes.go:86 — Deleted bool with query:"deleted"). Proof of concept 1. A victim owns a public book (is_public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with deleted_at set. 2. An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books/<bookID>/notes?deleted=true 3. The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner intended the note to be deleted. Impact Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed — the content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore limited to metadata disclosure and the bypass of the intended "delete" semantics on public books. Remediation Restrict trash (soft-deleted) listings to the book owner only — never honor the is_public branch when deleted=true: func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() } + // Soft-deleted ("trash") notes must only ever be listed to the book owner. + authz := db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true) + if deleted { + authz = db.DB.Where("owner_id = ?", currentUserID) + } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID), - db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true), + authz, ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(&notes).Error) } With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner_id = NULL, which matches nothing — so trash is never exposed to anonymous callers. Coordinated disclosure / CVE request We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security vulnerability, we would be grateful if you could request a CVE ID for it — GitHub lets maintainers request a CVE directly from this advisory page once it is accepted. Thank you for your time and for maintaining note-mark. References - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-285: Improper Authorization - Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner_id OR is_public; this report covers the trash path that the scope did not fully cover. ---

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected software

Goghsa
github.com/enchant97/note-mark/backend
Affected versions
<0.0.0-20260601210758-9c9b72740f22

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-588f-fvcv-xhvf
Osv Schema Version
1.4.0
Aliases
["CVE-2026-50554"]
Ecosystems
["Go"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a50bac868715ace435892b8

Added to database: 07/10/2026, 09:26:32 UTC

Last updated: 07/10/2026, 09:26:32 UTC

Views: 1

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses