Critical severity9.4GHSA Advisory· Published May 4, 2026· Updated May 6, 2026
CVE-2026-41571
CVE-2026-41571
Description
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/enchant97/note-mark/backendGo | < 0.0.0-20260417132909-dea5530cc989 | 0.0.0-20260417132909-dea5530cc989 |
Affected products
1Patches
1dea5530cc989fix GHSA-pxf8-6wqm-r6hh
1 file changed · +1 −1
backend/db/models.go+1 −1 modified@@ -51,7 +51,7 @@ func (u *User) IsPasswordMatch(plainPassword string) bool { } else { current = u.Password } - if err := bcrypt.CompareHashAndPassword(current, []byte(plainPassword)); err == nil { + if err := bcrypt.CompareHashAndPassword(current, []byte(plainPassword)); err == nil && len(u.Password) != 0 { return true } return false
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pxf8-6wqm-r6hhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41571ghsaADVISORY
- github.com/enchant97/note-mark/commit/dea5530cc9891187b51548ef9f2868b7dc9f4e92ghsaWEB
- github.com/enchant97/note-mark/releases/tag/v0.19.3nvdWEB
- github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hhnvdWEB
News mentions
0No linked articles in our index yet.