CVE 8.7 HIGH

SurrealDB Injection on Open Notebook_CVE-2026-28201

May 7, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.

AI Analysis

SurrealDB Injection vulnerability in Open Notebook via improper input validation and overly permissive CORS configuration

Basic Information

ID CVE-2026-28201

Source ENISA

Published May 7, 2026 at 10:12

Modified May 7, 2026 at 10:23

Affected Product

Vendor lfnovo

Product Open Notebook

Version 1.8.1

Affected Versions Open Notebook Open Notebook 0

CWE Classification

CWE-20 CWE-917 CWE-352

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor lfnovo

Product Open Notebook

Version 1.8.1

References

github.com /lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c

{
    "lastseen": "",
    "description": "An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible.",
    "published": "2026-05-07T10:12:05.895Z",
    "modified": "2026-05-07T10:23:57.837Z",
    "type": "cve",
    "title": "SurrealDB Injection on Open Notebook",
    "source": "ENISA",
    "references": "https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c",
    "id": "CVE-2026-28201",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-917",
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "Open Notebook Open Notebook 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Open Notebook",
    "version": "1.8.1",
    "vendor": "lfnovo",
    "ai_description": "SurrealDB Injection vulnerability in Open Notebook via improper input validation and overly permissive CORS configuration",
    "ai_severity": "High",
    "ai_vendor": "lfnovo",
    "ai_product": "Open Notebook",
    "ai_version": "1.8.1",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply