Logic Error in Joplin Note-Taking Application Exposes Shared Notes
CVE-2026-34600

5.7MEDIUM

Key Information:

Vendor

Laurent22

Status
Joplin
Vendor
CVE Published:
19 May 2026

What is CVE-2026-34600?

In the Joplin note-taking application, versions 3.5.2 and earlier are vulnerable due to a logic error in the delta API. This flaw allows users to access notes that should no longer be shared with them. The issue arises because the delta API responds with the latest state of items without checking their sharing status. Consequently, deleted items may still appear as accessible, allowing sensitive information to be disclosed. Furthermore, the change compression logic mismanages the create/delete events, which may result in unauthorized access to previously removed content. The vulnerability has been addressed in version 3.5.3.

Affected Version(s)

joplin < 3.5.3

References

https://github.com/laurent22/joplin/security/advisories/G...
x_refsource_CONFIRM
https://github.com/laurent22/joplin/issues/14110
x_refsource_MISC
https://github.com/laurent22/joplin/pull/14289
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.