CVE-2026-41571
CriticalSummary
The Note Mark note-taking application in version 0.19.2 has a vulnerability where the IsPasswordMatch function in the backend uses a hard-coded bcrypt("null") password for users without stored passwords. OIDC-registered users are created with an empty password, allowing anyone to obtain a valid session by submitting password: "null" to the internal login endpoint.
Risk Assessment
This vulnerability allows unauthorized users to access accounts with empty passwords, posing a serious threat to user data security.
Recommendation
It is recommended to update the application to version 0.19.3, where the issue has been patched, to protect against this type of attack.
Original NVD description (English source)
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

