PT-2026-56843 · Go · Github.Com/Enchant97/Note-Mark/Backend
Publicado
2026-07-09
·
Atualizado
2026-07-09
·
CVE-2026-50554
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the
service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner id = ? OR is public
= ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book — notes
the owner explicitly deleted and expected to be removed from public view.
Affected component (code-verified)
backend/services/notes.go — GetNotesByBookID (lines 72-89):
func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {
tx := db.DB
if deleted {
tx = tx.Unscoped() // <-- bypasses soft-delete scope
}
tx = tx.
Preload("Book").
Joins("JOIN books ON books.id = notes.book id").
Where(
db.DB.Where("books.id = ?", bookID),
db.DB.Where("owner id = ? OR is public = ?", currentUserID, true), // <-- is public still honored for trash
)
if deleted {
tx = tx.Where("notes.deleted at IS NOT NULL")
}
var notes []db.Note
return notes, dbErrorToServiceError(tx.Find(¬es).Error)
}
Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled
(backend/handlers/notes.go:86 — Deleted bool with query:"deleted").
Proof of concept
- A victim owns a public book (is public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with deleted at set.
- An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books//notes?deleted=true
- The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner intended the note to be deleted.
Impact
Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed — the
content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore
limited to metadata disclosure and the bypass of the intended "delete" semantics on public books.
Remediation
Restrict trash (soft-deleted) listings to the book owner only — never honor the is public branch when deleted=true:
func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {
tx := db.DB
if deleted {
tx = tx.Unscoped()
}
- // Soft-deleted ("trash") notes must only ever be listed to the book owner.
- authz := db.DB.Where("owner id = ? OR is public = ?", currentUserID, true)
- if deleted {
-
authz = db.DB.Where("owner id = ?", currentUserID) - } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book id"). Where( db.DB.Where("books.id = ?", bookID),
-
db.DB.Where("owner id = ? OR is public = ?", currentUserID, true),
-
if deleted { tx = tx.Where("notes.deleted at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(¬es).Error) }
authz, )
With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner id = NULL, which matches nothing — so
trash is never exposed to anonymous callers.
Coordinated disclosure / CVE request
We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security
vulnerability, we would be grateful if you could request a CVE ID for it — GitHub lets maintainers request a CVE directly from this advisory page
once it is accepted. Thank you for your time and for maintaining note-mark.
References
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-285: Improper Authorization
- Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner id OR is public; this report covers the trash path that the scope did not fully cover.
Correção
Improper Authorization
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Github.Com/Enchant97/Note-Mark/Backend