CVE-2026-40265: Note Mark has Broken Access Control on Asset Download
(updated )
A broken access control vulnerability allows unauthenticated users to retrieve note assets directly from the asset download endpoint when they know both the note UUID and asset UUID. This exposes the full contents of private note assets without authentication, even when the associated book is not public.
References
- github.com/advisories/GHSA-p5w6-75f9-cc2p
- github.com/enchant97/note-mark
- github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e14c62026
- github.com/enchant97/note-mark/releases/tag/v0.19.2
- github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p
- nvd.nist.gov/vuln/detail/CVE-2026-40265
Code Behaviors & Features
Detect and mitigate CVE-2026-40265 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →