Threat Advisory

Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in go/github.com/enchant97/note-mark/backend across two separate advisories, affecting versions less than 0.0.0-20260501152247-18b587758667 and less than 0.0.0-20260501152243-db3f72bff780. These vulnerabilities include a JWT secret weakness that allows full account takeover via token forgery and an arbitrary file write vulnerability leading to remote code execution. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data and allow attackers to execute malicious code on the system, resulting in potential data breaches, system compromise, and reputational damage.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in go/github.com/enchant97/note-mark/backend across two separate advisories, affecting versions less than 0.0.0-20260501152247-18b587758667 and less than 0.0.0-20260501152243-db3f72bff780. These vulnerabilities include a JWT secret weakness that allows full account takeover via token forgery and an arbitrary file write vulnerability leading to remote code execution. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data and allow attackers to execute malicious code on the system, resulting in potential data breaches, system compromise, and reputational damage.[emaillocker id="1283"]

  • CVE-2026-44523 with a CVSS score of 10.0 – A JWT secret weakness exists in the application due to inadequate validation of the secret length and entropy. This allows attackers to recover the signing key and forge valid JWTs for arbitrary users, resulting in full account takeover. The vulnerability can be exploited by capturing a valid JWT and performing offline brute-force or dictionary attacks against the token signature. No prerequisites are required for exploitation, and the attacker can achieve arbitrary user authentication.
  • CVE-2026-44522 with a CVSS score of 7.5 – An arbitrary file write vulnerability exists in the application due to a lack of path traversal sequence rejection and directory component stripping. This allows attackers to write files to arbitrary locations on the filesystem, which can be escalated to Remote Code Execution by overwriting system binaries. The vulnerability can be exploited by manipulating the asset name in the `X-Name` HTTP header and using it to access protected endpoints. No prerequisites are required for exploitation, and the attacker can achieve arbitrary file write.

The overall risk and urgency of these vulnerabilities are high, and immediate action is required to mitigate the impact. If exploited, these vulnerabilities can result in severe business consequences, including data breaches, system compromise, and reputational damage.

RECOMMENDATION:

  • We recommend you to update go/github.com/enchant97/note-mark/backend to version 0.0.0-20260501152247-18b587758667.
  • We recommend you to update go/github.com/enchant97/note-mark/backend to version 0.0.0-20260501152243-db3f72bff780.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-q6mh-rqwh-g786
https://github.com/advisories/GHSA-g49p-4qxj-88v3

[/emaillocker]
crossmenu