Back to overview

CVE-2026-58489

MEDIUM
6.8
CVSS 4.0
Description
HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2  state  value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.

Metadata

CVE ID
CVE-2026-58489
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-30 20:21 UTC
Published
2026-07-13 22:34 UTC
Last updated
2026-07-13 22:34 UTC
Primary CWE
CWE-352
CWE-352: Cross-Site Request Forgery (CSRF)
Vendor / Product
hedgedoc / hedgedoc
Sources
cve.org  ·  NVD

Severity & Metrics

6.8 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
hedgedoc hedgedoc < 1.11.0
Weakness (CWE)
CWESourceDescription
CWE-352 cna CWE-352: Cross-Site Request Forgery (CSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.8 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
References (2)
Back to overview