PT-2026-56843 · Go · Github.Com/Enchant97/Note-Mark/Backend
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-50554
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Summary
GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the
service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner id = ? OR is public
= ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book — notes
the owner explicitly deleted and expected to be removed from public view.
Affected component (code-verified)
backend/services/notes.go — GetNotesByBookID (lines 72-89):
func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {
tx := db.DB
if deleted {
tx = tx.Unscoped() // <-- bypasses soft-delete scope
}
tx = tx.
Preload("Book").
Joins("JOIN books ON books.id = notes.book id").
Where(
db.DB.Where("books.id = ?", bookID),
db.DB.Where("owner id = ? OR is public = ?", currentUserID, true), // <-- is public still honored for trash
)
if deleted {
tx = tx.Where("notes.deleted at IS NOT NULL")
}
var notes []db.Note
return notes, dbErrorToServiceError(tx.Find(¬es).Error)
}
Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled
(backend/handlers/notes.go:86 — Deleted bool with query:"deleted").
Proof of concept
- A victim owns a public book (is public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with deleted at set.
- An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books//notes?deleted=true
- The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner intended the note to be deleted.
Impact
Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed — the
content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore
limited to metadata disclosure and the bypass of the intended "delete" semantics on public books.
Remediation
Restrict trash (soft-deleted) listings to the book owner only — never honor the is public branch when deleted=true:
func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {
tx := db.DB
if deleted {
tx = tx.Unscoped()
}
- // Soft-deleted ("trash") notes must only ever be listed to the book owner.
- authz := db.DB.Where("owner id = ? OR is public = ?", currentUserID, true)
- if deleted {
-
authz = db.DB.Where("owner id = ?", currentUserID) - } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book id"). Where( db.DB.Where("books.id = ?", bookID),
-
db.DB.Where("owner id = ? OR is public = ?", currentUserID, true),
-
if deleted { tx = tx.Where("notes.deleted at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(¬es).Error) }
authz, )
With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner id = NULL, which matches nothing — so
trash is never exposed to anonymous callers.
Coordinated disclosure / CVE request
We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security
vulnerability, we would be grateful if you could request a CVE ID for it — GitHub lets maintainers request a CVE directly from this advisory page
once it is accepted. Thank you for your time and for maintaining note-mark.
References
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-285: Improper Authorization
- Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner id OR is public; this report covers the trash path that the scope did not fully cover.
Fix
Improper Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Github.Com/Enchant97/Note-Mark/Backend