CVE-2026-41571

Critical

Published: 04 May 2026

Published

04 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0005 16.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41571 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and remediation of software flaws, including applying the patch in Note Mark version 0.19.3.

IA-5 Authenticator Management good match

prevent

Ensures secure management and verification of authenticators, preventing flawed logic like hard-coded bcrypt('null') fallbacks for users with empty passwords.

AC-2 Account Management partial match

prevent

Supports secure account provisioning and management for OIDC-registered users, reducing risk of empty password fields triggering the vulnerable authentication fallback.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authentication bypass in publicly accessible web app login (OIDC users) directly enables remote exploitation for initial access without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:…

"null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

Deeper analysisAI

Note Mark, an open-source note-taking application, contains a critical authentication bypass vulnerability designated as CVE-2026-41571 in version 0.19.2. The flaw resides in the IsPasswordMatch function within backend/db/models.go, which defaults to a hard-coded bcrypt("null") placeholder for users lacking a stored password. OIDC-registered users are provisioned with an empty password field, enabling the bypass when the password "null" is submitted to the internal login endpoint.

The vulnerability is exploitable by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and association with CWE-287 (Improper Authentication). Successful exploitation grants a valid session for any targeted OIDC-registered user, allowing high-impact compromise of confidentiality and integrity, such as unauthorized access to notes, with limited availability disruption.

The issue has been addressed in Note Mark version 0.19.3, as detailed in the project's GitHub release notes and security advisory (GHSA-pxf8-6wqm-r6hh). Security practitioners should urge users to upgrade immediately to mitigate the risk.