Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Unauthenticated access to private note assets on Note app
GHSA-p5w6-75f9-cc2p
CVE-2026-40265
Summary
Unauthenticated users can access private note assets on the Note app if they know the note and asset IDs. This allows them to view sensitive information without needing to log in. To fix this, the app needs to add proper security checks to ensure only authorized users can access private assets.
What to do
- Update github.com enchant97 to version 0.0.0-20260411145023-6593898855ad.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | enchant97 |
< 0.0.0-20260411145023-6593898855ad Fix: upgrade to 0.0.0-20260411145023-6593898855ad
|
Original title
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middlewar...
Original description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2.
ghsa CVSS3.1
5.9
Vulnerability type
CWE-862
Missing Authorization
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 13 Apr 2026