CVE-2026-44523: Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery

May 7, 2026 (updated May 15, 2026)

No minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte.

HS256 secrets below 32 bytes are brute-forceable offline, allowing attackers to recover the signing key and forge valid JWTs for arbitrary users.

References

github.com/advisories/GHSA-q6mh-rqwh-g786
github.com/enchant97/note-mark/commit/18b58775866776ed400c403dd0ccad68c1fa4802
github.com/enchant97/note-mark/releases/tag/v0.19.4
github.com/enchant97/note-mark/security/advisories/GHSA-q6mh-rqwh-g786
nvd.nist.gov/vuln/detail/CVE-2026-44523

Code Behaviors & Features

Detect and mitigate CVE-2026-44523 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →