Cyber Resilience

CVE-2026-41571

Critical

Published: 04 May 2026

Published
04 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0030 21.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41571 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

Note Mark, an open-source note-taking application, contains a critical authentication bypass vulnerability designated as CVE-2026-41571 in version 0.19.2. The flaw resides in the IsPasswordMatch function within backend/db/models.go, which defaults to a hard-coded bcrypt("null") placeholder for users lacking a stored password. OIDC-registered users are provisioned with an empty password field, enabling the bypass when the password "null" is submitted to the internal login endpoint.

The vulnerability is exploitable by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and association with CWE-287 (Improper Authentication). Successful exploitation grants a valid session for any targeted OIDC-registered user, allowing high-impact compromise of confidentiality and integrity, such as unauthorized access to notes, with limited availability disruption.

The issue has been addressed in Note Mark version 0.19.3, as detailed in the project's GitHub release notes and security advisory (GHSA-pxf8-6wqm-r6hh). Security practitioners should urge users to upgrade immediately to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:…

more

"null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in publicly accessible web app login (OIDC users) directly enables remote exploitation for initial access without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and remediation of software flaws, including applying the patch in Note Mark version 0.19.3.

prevent

Ensures secure management and verification of authenticators, preventing flawed logic like hard-coded bcrypt('null') fallbacks for users with empty passwords.

prevent

Supports secure account provisioning and management for OIDC-registered users, reducing risk of empty password fields triggering the vulnerable authentication fallback.

References