Critical severity10.0GHSA Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-44523
CVE-2026-44523
Description
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.
Affected products
1Patches
118b587758667fix GHSA-q6mh-rqwh-g786
2 files changed · +2 −2
backend/config/config.go+1 −1 modified@@ -28,7 +28,7 @@ type OidcConfig struct { type AppConfig struct { Bind BindConfig `envPrefix:"BIND__"` DB DBConfig `envPrefix:"DB__"` - JWTSecret Base64Decoded `env:"JWT_SECRET,notEmpty"` + JWTSecret Base64Decoded `env:"JWT_SECRET,notEmpty" validate:"gte=32"` TokenExpiry int64 `env:"TOKEN_EXPIRY" envDefault:"259200"` DataPath string `env:"DATA_PATH,notEmpty"` StaticPath string `env:"STATIC_PATH"`
site/content/docs/setup/configuration.md+1 −1 modified@@ -10,7 +10,7 @@ Configuration of the Note Mark is done through environment variables. See the be | BIND__UNIX_SOCKET | Listen on unix socket, overrides HOST/PORT when set | - | - | | DB__TYPE | Type of DB (sqlite or postgres) | | sqlite | | DB__URI | URI (or file path if using SQLite) | | /data/db.sqlite | -| JWT_SECRET | base64 encoded secret | | | +| JWT_SECRET | base64 encoded secret (must be at least 32 bytes) | | | | TOKEN_EXPIRY | seconds until a token expires | 259200 | 259200 | | DATA_PATH | Where to store app data | | /data | | STATIC_PATH | Host static files | | |
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-q6mh-rqwh-g786ghsaADVISORY
- github.com/enchant97/note-mark/commit/18b58775866776ed400c403dd0ccad68c1fa4802ghsa
- github.com/enchant97/note-mark/releases/tag/v0.19.4ghsa
- github.com/enchant97/note-mark/security/advisories/GHSA-q6mh-rqwh-g786nvd
- nvd.nist.gov/vuln/detail/CVE-2026-44523ghsa
News mentions
0No linked articles in our index yet.