CVE-2026-58489 in HedgeDoc
Summary
by MITRE • 07/14/2026
HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2 state value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability in HedgeDoc represents a critical authentication bypass flaw that exploits improper OAuth2 state parameter validation within the GitHub Gist export functionality. The application's failure to properly validate the OAuth2 state parameter creates a significant security gap that allows attackers to manipulate the authorization flow and redirect exported content to malicious accounts. The vulnerability specifically affects versions prior to 1.11.0 where the system only verified the presence of the state parameter without ensuring its integrity against expected session values. This oversight enables attackers to craft malicious callback URLs containing their own valid GitHub OAuth codes while leveraging legitimate user sessions for note selection.
The technical execution of this attack relies on the application's flawed logic where it uses different authentication mechanisms for different parts of the process. When a victim clicks a crafted link, the system employs the victim's logged-in session to identify which note should be exported, but then utilizes the attacker's authorization code to determine which GitHub account will receive that content. This separation of concerns creates an authentication confusion scenario where the session context and authorization context become decoupled. The OAuth2 state parameter serves as a crucial anti-csrf mechanism designed to prevent unauthorized redirection attacks by ensuring that the authorization request and response correspond to the same user session, but HedgeDoc's implementation fails to enforce this critical validation step.
The operational impact of this vulnerability extends beyond simple data exposure, representing a sophisticated attack vector that could enable persistent unauthorized access to sensitive information. Attackers can leverage this flaw to systematically harvest private notes from logged-in users, potentially gaining access to confidential business information, personal data, or restricted project documentation. The vulnerability affects all users who have authenticated with GitHub and are logged into HedgeDoc, making it particularly dangerous in environments where users may be browsing untrusted websites or clicking on malicious links. This type of attack aligns with the common exploitation patterns described in the ATT&CK framework under credential access and privilege escalation techniques, specifically targeting the exploitation of authentication mechanisms to gain unauthorized access to user resources.
This vulnerability directly corresponds to CWE-384, which addresses session fixation and authentication bypass issues related to improper validation of state parameters in authentication flows. The flaw demonstrates how insufficient input validation and inadequate session management can create dangerous security holes even within well-intended applications. Organizations should immediately implement the patch available in version 1.11.0 which properly validates OAuth2 state parameters against expected session values, ensuring that callback URLs cannot be manipulated to redirect authorization responses to unauthorized accounts. Additional mitigations include implementing proper rate limiting on export operations and conducting security reviews of all authentication flows to identify similar validation gaps that could enable similar attacks.
The broader implications of this vulnerability highlight the importance of comprehensive authentication flow testing and the critical role that state parameters play in preventing CSRF attacks. Security practitioners should recognize that even seemingly simple functionality like note export can become attack vectors when proper authentication controls are not implemented. This case study serves as a reminder that OAuth2 implementations require careful attention to state parameter validation, session consistency, and proper separation of concerns between different authentication contexts. Organizations maintaining collaborative applications must conduct thorough security assessments of all third-party integration points and ensure that proper validation mechanisms are in place to prevent similar issues in other components of their software ecosystems.