CVE-2026-22810 Overview
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability [CWE-24] in the OneNote importer that allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. An attacker can craft a malicious .one file containing file names with ../../ sequences that are interpreted as part of the target path when extracting attachments. The issue is patched in version 3.5.7.
Critical Impact
A user importing a malicious OneNote .one file into Joplin can have arbitrary files on disk overwritten, leading to high impact on confidentiality, integrity, and availability.
Affected Products
- Joplin desktop application, all versions prior to 3.5.7
- Joplin OneNote importer component (packages/onenote-converter)
- Joplin file extraction routine in embedded_file.rs
Discovery Timeline
- 2026-05-18 - CVE CVE-2026-22810 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-22810
Vulnerability Analysis
The vulnerability resides in Joplin's OneNote converter, specifically in the code path that extracts embedded files from a .one archive during import. When Joplin parses a OneNote file, it reads attachment metadata including a file name, then writes the attachment to a destination directory using that name. The importer trusts the embedded file name without validating or canonicalizing it, allowing directory traversal sequences to escape the intended attachment directory.
The weakness is classified under [CWE-24] (Path Traversal: ../filedir). Exploitation requires the victim to import an attacker-supplied .one file. Successful import can overwrite configuration files, scripts, or binaries belonging to the user, enabling code execution at the user's privilege level on the next time the overwritten file is invoked.
Root Cause
The root cause is missing sanitization of embedded file names in the OneNote parser. The relevant logic in packages/onenote-converter/renderer/src/page/embedded_file.rs constructs a destination path by joining the importer's base directory with the attacker-controlled file name. Without stripping or rejecting .. path components, the resulting path can resolve outside the import directory.
Attack Vector
An attacker creates a malicious .one file whose embedded attachment names contain traversal sequences such as ../../.bashrc or ../../AppData/Roaming/joplin/config.json. The attacker delivers this file to a target user. When the user imports the file using Joplin's OneNote importer, the converter writes attachment data to the traversed path, overwriting the target file.
// Patch excerpt: introduces split_file_name and tests for safe filename handling
// Source: packages/onenote-converter/parser-utils/src/file_api/api.rs
/// `path_2` is still appended to `path_1`.
fn join(&self, path_1: &str, path_2: &str) -> String;
/// Splits filename into (base, extension).
fn split_file_name(&self, filename: &str) -> (String, String) {
let ext = self.get_file_extension(filename);
let base = filename.strip_suffix(&ext).unwrap_or(filename);
(base.into(), ext)
}
Source: Joplin security patch commit 7916684
Detection Methods for CVE-2026-22810
Indicators of Compromise
- Presence of unexpected .one files received over email, chat, or shared drives prior to a Joplin import action
- File modifications outside the configured Joplin resources directory immediately following an OneNote import
- Embedded file names within .one archives containing .., ..\, or ../ sequences when inspected with a OneNote parser
- Joplin process (joplin.exe, Joplin) writing to user profile locations such as ~/.bashrc, %APPDATA%, or startup folders
Detection Strategies
- Inspect endpoint telemetry for the Joplin desktop process writing files to paths outside its expected resources directory
- Hunt for .one files in user download and mail attachment directories on hosts running Joplin versions earlier than 3.5.7
- Correlate Joplin importer activity with subsequent modifications to autorun, shell profile, or scheduled task files
Monitoring Recommendations
- Enable file integrity monitoring on user profile directories and shell configuration files on workstations with Joplin installed
- Log and review OneNote importer usage events from Joplin where available
- Alert on Joplin writing executables, scripts, or configuration files outside its application data directory
How to Mitigate CVE-2026-22810
Immediate Actions Required
- Upgrade Joplin to version 3.5.7 or later on all desktop installations
- Restrict import of untrusted .one files until the upgrade is verified across the fleet
- Audit recent OneNote imports performed by users on vulnerable Joplin versions for unexpected file system changes
- Notify users to refuse OneNote files received from unverified senders
Patch Information
The vulnerability is patched in Joplin 3.5.7. The fix adds safe filename handling in the OneNote converter, including a split_file_name helper and sanitization that prevents traversal sequences from being interpreted as path components. See the Joplin v3.5.7 release notes, the GitHub Security Advisory GHSA-gcmj-c9gg-9vh6, and the fix pull request #13736.
Workarounds
- Do not use the OneNote importer feature in Joplin until the application is updated to 3.5.7
- Import OneNote files only inside a sandboxed or non-privileged user account to limit the scope of any overwritten files
- Apply OS-level file permissions that restrict the Joplin process from writing to sensitive user files such as shell profiles or startup directories
# Verify installed Joplin version and upgrade on Linux
joplin --version
# Example: upgrade via package manager or AppImage to v3.5.7 or later
# Confirm version after upgrade
joplin --version # should report 3.5.7 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
