Authentication Bypass in Trilium Desktop by Trilium Notes
CVE-2026-39310

8.6HIGH

Key Information:

Vendor: Triliumnext
Status: Trilium
Vendor: CVE Published:; 20 May 2026

🔔 Create Triliumnext Vulnerability Alert

What is CVE-2026-39310?

Trilium Notes, a hierarchical note-taking application, has a significant vulnerability in its Clipper API that affects versions 0.102.1 and earlier. In instances where Trilium runs within an Electron environment, the application disables crucial authentication middleware, inadvertently exposing sensitive API endpoints, such as /api/clipper/notes, without necessary protections. This flaw allows attackers on shared networks to easily scout for open ports typically used by Trilium, enabling them to confirm active instances and conduct unauthorized data access and potential phishing attacks. The issue has been addressed in version 0.102.2, which reinforces security measures to mitigate these risks.

Affected Version(s)

Trilium < 0.102.2

References

https://github.com/TriliumNext/Trilium/security/advisorie...

x_refsource_CONFIRM

https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39310 Data

JSON