OAuth2 State Validation Flaw in HedgeDoc by HedgeDoc Team
CVE-2026-58489

6.8MEDIUM

Key Information:

Vendor

Hedgedoc

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-58489?

HedgeDoc, an open-source collaborative markdown notes application, had a vulnerability in its GitHub Gist export functionality prior to version 1.11.0. The application generated an OAuth2 state value but failed to validate it correctly against the expected value for the user's session. This oversight allowed attackers to forge callback URLs containing their own valid GitHub OAuth codes. When a victim clicked a crafted link, their logged-in session was exploited to export private or protected notes to a Gist controlled by the attacker, leading to unauthorized access and data exposure. The issue has been addressed in version 1.11.0.

Affected Version(s)

hedgedoc < 1.11.0

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.