CVE-2026-41571
Published: 04 May 2026
Description
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:…
more
"null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Security SummaryAI
Note Mark, an open-source note-taking application, contains a critical authentication bypass vulnerability designated as CVE-2026-41571 in version 0.19.2. The flaw resides in the IsPasswordMatch function within backend/db/models.go, which defaults to a hard-coded bcrypt("null") placeholder for users lacking a stored password. OIDC-registered users are provisioned with an empty password field, enabling the bypass when the password "null" is submitted to the internal login endpoint.
The vulnerability is exploitable by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and association with CWE-287 (Improper Authentication). Successful exploitation grants a valid session for any targeted OIDC-registered user, allowing high-impact compromise of confidentiality and integrity, such as unauthorized access to notes, with limited availability disruption.
The issue has been addressed in Note Mark version 0.19.3, as detailed in the project's GitHub release notes and security advisory (GHSA-pxf8-6wqm-r6hh). Security practitioners should urge users to upgrade immediately to mitigate the risk.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in publicly accessible web app login (OIDC users) directly enables remote exploitation for initial access without credentials.