🔐 CVE Alert

CVE-2026-58489

UNKNOWN 0.0

HedgeDoc: CSRF in GitHub Gist export callback

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2  state  value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not properly validated, an attacker could forge a callback URL containing their own valid GitHub OAuth code. When processing the callback, HedgeDoc used the victim's logged-in session to select which note to export, but the attacker's authorization code to determine which GitHub account received it. As a result, a logged-in victim who clicked a crafted link could export their own private, protected, or limited note directly into a Gist controlled by the attacker. This issue has been fixed in version 1.11.0.

CWE CWE-352
Vendor hedgedoc
Product hedgedoc
Published Jul 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for hedgedoc hedgedoc

Be the first to know when new unknown vulnerabilities affecting hedgedoc hedgedoc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

hedgedoc / hedgedoc
< 1.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-8v9p-5j95-826j github.com: https://github.com/hedgedoc/hedgedoc/commit/fbd7307f162754212046ec343cbe691223a48c8d