Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-44523

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

View on NVD

Analysis

Note Mark, a self-hosted note-taking application, contains a critical vulnerability where it fails to enforce minimum entropy on JWT secrets. This allows for trivial authentication bypass and full account takeover if a short or weak secret is used. Users should upgrade to version 0.19.4 or higher.

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-326CWE-345

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Published: 5/14/2026, 7:16:37 PM
Last modified: 5/14/2026, 7:16:37 PM

References

HomeEventsBlogResourcesTeam