CVE-2026-41571: Note Mark Critical Auth Bypass
The National Vulnerability Database has disclosed CVE-2026-41571, a critical authentication bypass vulnerability in Note Mark, an open-source note-taking application. Affecting version 0.19.2, the flaw lies in the IsPasswordMatch function within backend/db/models.go. When a user lacks a stored password, the system inexplicably falls back to comparing against a hard-coded bcrypt("null") placeholder.
This design flaw creates a gaping hole: users registered via OIDC (OpenID Connect) are provisioned without a password. Consequently, any unauthenticated attacker submitting password: "null" to the internal login endpoint will receive a valid session for these users. This is an unauthenticated bypass, requiring no user interaction, making it trivial to exploit. The National Vulnerability Database assigns it a CVSS score of 9.4 (CRITICAL).
For defenders, this is a clear-cut case of insecure design leading to a catastrophic authentication failure. The attacker’s calculus is simple: enumerate OIDC-provisioned users and then trivially log in. This vulnerability has been patched in Note Mark version 0.19.3. Organizations utilizing Note Mark must prioritize immediate upgrade to mitigate this severe risk.
What This Means For You
- If your organization uses Note Mark, particularly if you integrate with OIDC, you are directly exposed. Immediately verify your Note Mark version. If it's 0.19.2 or earlier, patch to version 0.19.3 without delay. Audit logs for any suspicious login attempts with 'null' as a password from external IPs.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41571: Note Mark Authentication Bypass via 'null' Password
title: CVE-2026-41571: Note Mark Authentication Bypass via 'null' Password
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41571 by sending a POST request to the /api/login endpoint with the password parameter set to 'null'. This bypasses authentication for OIDC-registered users in Note Mark version 0.19.2.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41571/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: authentication
detection:
selection:
cs-uri|contains:
- '/api/login'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'password=null'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41571 | Auth Bypass | Note Mark application versions prior to 0.19.3 |
| CVE-2026-41571 | Auth Bypass | Note Mark backend/db/models.go IsPasswordMatch function |
| CVE-2026-41571 | Auth Bypass | Login with password: "null" for OIDC-registered users with no stored password |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...