CVE-2026-41572: Note Mark: Unauthenticated read of notes and assets in soft-deleted public books
(updated )
After a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM’s soft-delete scope does not reach the raw JOIN books ... clauses used by the note and asset queries.
References
- github.com/advisories/GHSA-3gr9-485j-v4xf
- github.com/enchant97/note-mark
- github.com/enchant97/note-mark/commit/d1bf845a2a2df01e2eca6f556287db4ec6f773cf
- github.com/enchant97/note-mark/releases/tag/v0.19.3
- github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf
- nvd.nist.gov/vuln/detail/CVE-2026-41572
Code Behaviors & Features
Detect and mitigate CVE-2026-41572 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →