CVE-2026-40265

Name of the Vulnerable Software and Affected Versions Note Mark versions prior to 0.19.2

Description A broken access control issue exists in the asset download endpoint '/api/notes/{noteID}/assets/{assetID}'. The endpoint is registered without authentication middleware, and the backend query fails to verify ownership or book visibility. An unauthenticated user who possesses a valid noteID and assetID can retrieve the full contents of private note assets, regardless of whether the associated book is public or private. This occurs because the retrieval process only queries the asset table by ID and does not check if the requester owns the parent book or if the book is private.

Recommendations Update to version 0.19.2. As a temporary workaround, restrict access to the '/api/notes/{noteID}/assets/{assetID}' endpoint to minimize the risk of exploitation.