CVE-2026-28201 PUBLISHED

SurrealDB Injection on Open Notebook

Assigner: ENISA
Reserved: 25.02.2026 Published: 07.05.2026 Updated: 07.05.2026

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Open Notebook
Product	Open Notebook
Versions	Default: unaffected affected from 0 to 1.8.2 (incl.)

Credits

CERT-EU finder

References

https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c

Problem Types

CWE-20 Improper input validation CWE
CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection') CWE
CWE-352 Cross-Site request forgery (CSRF) CWE

Impacts

CAPEC-545 Pull Data from System Resources