Unauthenticated Access Vulnerability in Note-taking Application Note Mark
CVE-2026-40265

5.9MEDIUM

Key Information:

Vendor

Enchant97

Status
Note-mark
Vendor
CVE Published:
16 April 2026

What is CVE-2026-40265?

Note Mark, an open-source note-taking application, has a vulnerability in versions 0.19.1 and earlier that allows unauthenticated users to access private note assets. The asset download endpoint located at /api/notes/{noteID}/assets/{assetID} lacks authentication middleware, which results in unauthorized access to private content as long as the attacker knows a valid note ID and asset ID. This flaw compromises the confidentiality of private notes and their associated books, as it does not enforce ownership or visibility checks. This issue has been resolved in version 0.19.2.

Affected Version(s)

note-mark < 0.19.2

References

https://github.com/enchant97/note-mark/security/advisorie...
x_refsource_CONFIRM
https://github.com/enchant97/note-mark/commit/6593898855a...
x_refsource_MISC
https://github.com/enchant97/note-mark/releases/tag/v0.19.2
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.