Cyber Resilience

CVE-2026-44523

Critical

Published: 14 May 2026

Published
14 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0012 2.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-44523 is a critical-severity Inadequate Encryption Strength (CWE-326) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Access Token (T1550.001); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability…

more

is fixed in 0.19.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Weak JWT secret enables easy forgery of application access tokens (T1550.001) and web credentials (T1606).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1195Shared CWE-345
CVE-2026-35042Shared CWE-345
CVE-2026-32597Shared CWE-345
CVE-2026-44351Shared CWE-326
CVE-2026-3012Shared CWE-345
CVE-2026-35051Shared CWE-345
CVE-2025-15385Shared CWE-345
CVE-2025-1108Shared CWE-345
CVE-2025-36379Shared CWE-326
CVE-2026-33143Shared CWE-345

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-326

Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-326

Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers.

addresses: CWE-326

Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.

addresses: CWE-326

Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

addresses: CWE-345

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345

Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.

References