Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-44523

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Ver en NVD

Análisis

Note Mark, a self-hosted note-taking application, contains a critical vulnerability where it fails to enforce minimum entropy on JWT secrets. This allows for trivial authentication bypass and full account takeover if a short or weak secret is used. Users should upgrade to version 0.19.4 or higher.

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-326CWE-345

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.

Publicada: 14/5/2026, 19:16:37
Última modificación: 14/5/2026, 19:16:37

Referencias

InicioEventosBlogRecursosEquipo