CVE-2026-50554

MEDIUMPre-NVD 5.35.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books

Summary

GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner_id = ? OR is_public = ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book — notes the owner explicitly deleted and expected to be removed from public view.

Affected component (code-verified)

backend/services/notes.go — GetNotesByBookID (lines 72-89):

func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() // <-- bypasses soft-delete scope } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID), db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true), // <-- is_public still honored for trash ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(¬es).Error) }

Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled (backend/handlers/notes.go:86 — Deleted bool with query:"deleted").

Proof of concept

  • A victim owns a public book (is_public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with
deleted_at set.
  • An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books//notes?deleted=true
  • The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner
intended the note to be deleted.

Impact

Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note body is not exposed — the content endpoint (GetNoteContent) does not use Unscoped(), so its count query returns 0 for soft-deleted notes and yields 404. Impact is therefore limited to metadata disclosure and the bypass of the intended "delete" semantics on public books.

Remediation

Restrict trash (soft-deleted) listings to the book owner only — never honor the is_public branch when deleted=true:

func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() } + // Soft-deleted ("trash") notes must only ever be listed to the book owner. + authz := db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true) + if deleted { + authz = db.DB.Where("owner_id = ?", currentUserID) + } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID),

  • db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true),
+ authz, ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(¬es).Error) }

With this change, when currentUserID is nil (unauthenticated) and deleted=true, the clause becomes owner_id = NULL, which matches nothing — so trash is never exposed to anonymous callers.

Coordinated disclosure / CVE request

We have reported this privately and are happy to assist with any further validation or testing you need. If you agree this qualifies as a security vulnerability, we would be grateful if you could request a CVE ID for it — GitHub lets maintainers request a CVE directly from this advisory page once it is accepted. Thank you for your time and for maintaining note-mark.

References

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-285: Improper Authorization
  • Prior note-mark authorization fix (CVE-2026-40265) established that read paths must scope by owner_id OR is_public; this report covers the trash
path that the scope did not fully cover.

---

CVSS v3
5.3
EG Score
5.3(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-50554(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 7× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 11:41 UTCEG score recompute
  2. 2026-07-14 12:01 UTCEG score recompute
  3. 2026-07-13 12:23 UTCEG score recompute
  4. 2026-07-12 12:44 UTCEG score recompute
  5. 2026-07-11 13:05 UTCEG score recompute
  6. 2026-07-10 13:25 UTCEG score recompute
  7. 2026-07-09 13:45 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-50554?
CVE-2026-50554 is a medium vulnerability published on July 9, 2026. Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books Summary GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped()…
When was CVE-2026-50554 disclosed?
CVE-2026-50554 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-50554?
CVE-2026-50554 has a CVSS v4.0 base score of 5.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-50554?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-50554, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-50554

Explore →

Is Your Infrastructure Affected by CVE-2026-50554?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.