CVE-2026-40265

CVE-2026-40265 is a medium-severity missing authorization vulnerability in github.com/enchant97/note-mark/backend (go), affecting versions < 0.0.0-20260411145023-6593898855ad. It is fixed in 0.0.0-20260411145023-6593898855ad.

Summary

A broken access control vulnerability allows unauthenticated users to retrieve note assets directly from the asset download endpoint when they know both the note UUID and asset UUID. This exposes the full contents of private note assets without authentication, even when the associated book is not public.

Details

The issue is caused by the asset download route being registered without authentication middleware.

Relevant route registration:

  • handlers/assets.go, line 40
huma.Get(api, "/api/notes/{noteID}/assets/{assetID}", h.GetNoteAssetContentByID)

By contrast, other asset operations correctly apply authentication middleware. For example:

huma.Delete(api, "/api/notes/{noteID}/assets/{assetID}", h.DeleteNoteAsset,
    huma.WithMiddleware(h.authMiddleware.AuthRequiredMiddleware))

The backend service for asset retrieval also does not enforce ownership or visibility checks. According to the provided code references, the lookup only queries the asset table by asset ID and note ID:

SELECT * FROM note_assets WHERE id = ? AND note_id = ?

Because the retrieval path does not join against the related notes or books records, it does not verify:

  • whether the requester owns the parent book
  • whether the parent book is public or private
  • whether the related note has been deleted

As a result, possession of a valid noteID and assetID is sufficient to retrieve the asset binary, regardless of whether the note belongs to a private book.

The exploitability is constrained by identifier knowledge. Both noteID and assetID are UUIDv4 values, so blind guessing is impractical. However, the endpoint remains vulnerable whenever those identifiers are disclosed through another channel, such as leaked links, browser history, proxy logs, shared URLs, or other application behaviors that expose internal asset references.

PoC

The issue can be reproduced by creating a private note with an attached asset, then requesting the asset download endpoint without authentication using the valid noteID and assetID. The server returns the asset content even though the associated note is private.

Impact

  • Type: Broken access control / unauthenticated information disclosure
  • Who is impacted: Any deployment exposing the affected asset download endpoint
  • Security impact: Full binary contents of private note assets can be disclosed to unauthenticated users who know the required identifiers
  • Attack preconditions: The attacker must know both the target noteID and assetID; no authentication is required
  • Attack complexity: High, because successful exploitation depends on prior disclosure of both UUIDs rather than feasible online guessing

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-40265 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260411145023-6593898855ad); upgrading removes the vulnerable code path.

Affected versions

github.com/enchant97/note-mark/backend (< 0.0.0-20260411145023-6593898855ad)

Security releases

github.com/enchant97/note-mark/backend → 0.0.0-20260411145023-6593898855ad (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/enchant97/note-mark/backend to 0.0.0-20260411145023-6593898855ad or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-40265? CVE-2026-40265 is a medium-severity missing authorization vulnerability in github.com/enchant97/note-mark/backend (go), affecting versions < 0.0.0-20260411145023-6593898855ad. It is fixed in 0.0.0-20260411145023-6593898855ad. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-40265? CVE-2026-40265 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/enchant97/note-mark/backend are affected by CVE-2026-40265? github.com/enchant97/note-mark/backend (go) versions < 0.0.0-20260411145023-6593898855ad is affected.
  4. Is there a fix for CVE-2026-40265? Yes. CVE-2026-40265 is fixed in 0.0.0-20260411145023-6593898855ad. Upgrade to this version or later.
  5. Is CVE-2026-40265 exploitable, and should I be worried? Whether CVE-2026-40265 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40265 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40265? Upgrade github.com/enchant97/note-mark/backend to 0.0.0-20260411145023-6593898855ad or later.

Other vulnerabilities in github.com/enchant97/note-mark/backend

CVE-2026-44523CVE-2026-44522CVE-2026-41571CVE-2026-40265CVE-2026-40263

Stop the waste.
Protect your environment with Kodem.