{"id":"CVE-2026-50554","aliases":["GHSA-588f-fvcv-xhvf"],"title":"Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books","summary":"Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books","severity":"medium","cvss":5.3,"cwe":["CWE-200","CWE-285"],"vendor":"enchant97","product":"github.com/enchant97/note-mark/backend","ecosystem":"go","affected":["github.com/enchant97/note-mark/backend < 0.0.0-20260601210758-9c9b72740f22"],"patched":["github.com/enchant97/note-mark/backend 0.0.0-20260601210758-9c9b72740f22"],"published":"2026-07-09","updated":"2026-07-09","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-588f-fvcv-xhvf","references":[{"url":"https://github.com/enchant97/note-mark/security/advisories/GHSA-588f-fvcv-xhvf"},{"url":"https://github.com/enchant97/note-mark/commit/9c9b72740f22a06131a8f64b53bb08e3b05b81a6"},{"url":"https://github.com/advisories/GHSA-588f-fvcv-xhvf"}],"tags":["ghsa","go"],"ingestedAt":"2026-07-09T13:51:05.187Z","slug":"CVE-2026-50554","body":"## Overview\n\nSummary\n\n  GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a \"deleted\" query parameter. When the request is ?deleted=true, the\n  service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as \"owner_id = ? OR is_public\n  = ?\". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted (\"trashed\") notes belonging to any public book — notes\n  the owner explicitly deleted and expected to be removed from public view.\n\n  Affected component (code-verified)\n\n  backend/services/notes.go — GetNotesByBookID (lines 72-89):\n\n  func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {\n        tx := db.DB\n        if deleted {\n                tx = tx.Unscoped() // <-- bypasses soft-delete scope\n        }\n        tx = tx.\n                Preload(\"Book\").\n                Joins(\"JOIN books ON books.id = notes.book_id\").\n                Where(\n                        db.DB.Where(\"books.id = ?\", bookID),\n                        db.DB.Where(\"owner_id = ? OR is_public = ?\", currentUserID, true), // <-- is_public still honored for trash\n                )\n        if deleted {\n                tx = tx.Where(\"notes.deleted_at IS NOT NULL\")\n        }\n        var notes []db.Note\n        return notes, dbErrorToServiceError(tx.Find(&notes).Error)\n  }\n\n  Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled\n   (backend/handlers/notes.go:86 — Deleted bool with query:\"deleted\").\n\n  Proof of concept\n\n  1. A victim owns a public book (is_public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with\n  deleted_at set.\n  2. An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books/<bookID>/notes?deleted=true\n  3. The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner\n  intended the note to be deleted.\n\n  Impact\n\n  Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed — the\n  content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore\n   limited to metadata disclosure and the bypass of the intended \"delete\" semantics on public books.\n\n  Remediation\n\n  Restrict trash (soft-deleted) listings to the book owner only — never honor the is_public branch when deleted=true:\n\n   func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) {\n        tx := db.DB\n        if deleted {\n                tx = tx.Unscoped()\n        }\n  +     // Soft-deleted (\"trash\") notes must only ever be listed to the book owner.\n  +     authz := db.DB.Where(\"owner_id = ? OR is_public = ?\", currentUserID, true)\n  +     if deleted {\n  +             authz = db.DB.Where(\"owner_id = ?\", currentUserID)\n  +     }\n        tx = tx.\n                Preload(\"Book\").\n                Joins(\"JOIN books ON books.id = notes.book_id\").\n                Where(\n                        db.DB.Where(\"books.id = ?\", bookID),\n  -                     db.DB.Where(\"owner_id = ? OR is_public = ?\", currentUserID, true),\n  +                     authz,\n                )\n        if deleted {\n                tx = tx.Where(\"notes.deleted_at IS NOT NULL\")\n        }\n        var notes []db.Note\n        return notes, dbErrorToServiceError(tx.Find(&notes).Error)\n   }\n\n  With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner_id = NULL, which matches nothing — so\n  trash is never exposed to anonymous callers.\n\n  Coordinated disclosure / CVE request\n\n  We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security\n   vulnerability, we would be grateful if you could request a CVE ID for it — GitHub lets maintainers request a CVE directly from this advisory page\n   once it is accepted. Thank you for your time and for maintaining note-mark.\n\n  References\n\n  - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n  - CWE-285: Improper Authorization\n  - Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner_id OR is_public; this report covers the trash\n   path that the scope did not fully cover.\n\n  ---\n\n## Affected packages\n\n- `github.com/enchant97/note-mark/backend < 0.0.0-20260601210758-9c9b72740f22`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `github.com/enchant97/note-mark/backend 0.0.0-20260601210758-9c9b72740f22`","depth":"sunlit","depthScore":29,"depthScoreParts":{"impact":29.2,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}