CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50554

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-07-09
Summary GET /api/books/{bookID}/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped() (bypassing GORM's soft-delete scope) but keeps the read-authorization clause as "owner_id = ? OR is_public = ?". As a result, any unauthenticated caller can enumerate the metadata of soft-deleted ("trashed") notes belonging to any public book — notes the owner explicitly deleted and expected to be removed from public view. Affected component (code-verified) backend/services/notes.go — GetNotesByBookID (lines 72-89): func (s NotesService) GetNotesByBookID(currentUserID *uuid.UUID, bookID uuid.UUID, deleted bool) ([]db.Note, error) { tx := db.DB if deleted { tx = tx.Unscoped() // <-- bypasses soft-delete scope } tx = tx. Preload("Book"). Joins("JOIN books ON books.id = notes.book_id"). Where( db.DB.Where("books.id = ?", bookID), db.DB.Where("owner_id = ? OR is_public = ?", currentUserID, true), // <-- is_public still honored for trash ) if deleted { tx = tx.Where("notes.deleted_at IS NOT NULL") } var notes []db.Note return notes, dbErrorToServiceError(tx.Find(&notes).Error) } Route registration confirms the endpoint has no AuthRequiredMiddleware (backend/handlers/notes.go:37), and the deleted flag is attacker-controlled (backend/handlers/notes.go:86 — Deleted bool with query:"deleted"). Proof of concept 1. A victim owns a public book (is_public = true), creates a note, then soft-deletes it (moves it to trash). The note still exists in the DB with deleted_at set. 2. An unauthenticated attacker who knows (or enumerates) the book UUID requests: GET /api/books/<bookID>/notes?deleted=true 3. The response lists the soft-deleted note(s) — id, title, slug, timestamps — even though the attacker is not authenticated and the owner intended the note to be deleted. Impact Exposure of soft-deleted note metadata (title, slug, timestamps) of public books to unauthenticated actors. The note

⚡ Watch CVE-2026-50554

Get an email if CVE-2026-50554 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-50554

CVE.org record

Embed the live status

CVE-2026-50554 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50554 status](https://www.csirts.com/badge/CVE-2026-50554)](https://www.csirts.com/cve/CVE-2026-50554)