CVE-2026-44522: Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)).

When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go’s filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory.

The export process typically runs as root (the default in Docker deployments and common in bare-metal setups). This means the arbitrary file write operates with root privileges, allowing an attacker to write to any writable location on the filesystem. This can be escalated to Remote Code Execution by overwriting system binaries such as /bin/bash with a malicious payload. Since the Go binary is statically compiled and does not shell out to external programs during the export, overwriting /bin/bash does not affect the running export process. However, the next time any user or administrator invokes bash on the system, the attacker-controlled binary executes instead, resulting in code execution as root. In environments with cron or systemd, writing to /etc/cron.d/ or systemd unit files provides additional exploitation paths.

The data flow is: X-Name HTTP header > handlers/assets.go (no validation) > services/assets.go (stored to DB as-is) > cli/migrate.go (used in os.Create(filepath.Join(..., asset.Name))) > arbitrary file write.