CVE-2026-41572 MEDIUM

CVE-2026-41572: Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Vendor Enchant97

Product note-mark

Weakness CWE-285

Published May 4, 2026

Last update May 4, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.

Key dates

02Disclosure timeline

May 4, 2026 CVE published

May 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41572

Related vulnerabilities

04Related CVE

CVE-2025-1007 Improper Authorization in /user/namespace/{namespace}/details CVE-2023-0813 Network-observability-console-plugin-container: setting loki authtoken configuration to disable or host mode leads to authentication longer being enforced CVE-2025-10073 Portabilis i-Educar turma improper authorization CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update CVE-2025-9687 Portabilis i-Educar processamentoApi improper authorization