CVE-2026-34600 Overview
CVE-2026-34600 is an information disclosure vulnerability in Joplin, an open source note-taking and to-do application. The flaw affects Joplin Server versions 3.5.2 and prior. A logic error in the delta API allows share recipients to download notes that are no longer shared with them. The issue is related to but not fully addressed by a prior patch in pull request #14289. The vulnerability is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
A previously authorized share recipient can retrieve the full latest content of notes after access has been revoked, exposing confidential information through the delta synchronization API.
Affected Products
- Joplin versions 3.5.2 and prior
- Joplin Server share recipients using the delta API
- Fixed in Joplin version 3.5.3
Discovery Timeline
- 2026-05-19 - CVE-2026-34600 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34600
Vulnerability Analysis
The vulnerability resides in the ChangeModel.delta function of Joplin Server. When the DELTA_INCLUDES_ITEMS flag is enabled, which is the default configuration, the latest state of items is attached to the delta API output. The server does not verify that those items remain shared with the requesting user. The existing removal logic only filters items that have been deleted for all users, not items whose share permissions have been revoked for a specific recipient.
A second logic flaw exists in the change compression routine. The compression incorrectly reduces a create followed by a delete sequence to a no-op. This is unsafe because compression is applied per page of results, and an item can have multiple create events across pages.
Root Cause
The root cause is twofold. First, ChangeModel.delta lacks an authorization check ensuring the requesting user still has share access to each item attached to the delta response. Second, the page-level change compression logic drops deletion events when an earlier create event resides on a separate page from a later create-delete pair. The sequence then collapses to a create event with the full latest content attached.
Attack Vector
An authenticated user who was previously granted share access to a note can call the delta API after the share has been revoked. The API returns a create event for the revoked item containing the full latest content. Exploitation requires low privileges and some user interaction, and is delivered over the network. Refer to the GitHub Security Advisory GHSA-88x4-77rc-jw94 for additional technical context.
Detection Methods for CVE-2026-34600
Indicators of Compromise
- Delta API requests from user accounts whose share permissions were recently revoked
- Anomalous volumes of delta synchronization calls returning create events for previously shared items
- Access patterns where the same user repeatedly retrieves delta data shortly after share removal events
Detection Strategies
- Correlate Joplin Server application logs with share permission changes to identify delta API calls referencing items the requester no longer has access to
- Monitor for delta responses containing item payloads for users with recently revoked share entitlements
- Inspect Joplin Server audit logs for repeated delta requests from accounts that have been removed from notebook shares
Monitoring Recommendations
- Enable verbose logging on the /api/changes and delta endpoints to capture requester identity and returned item identifiers
- Forward Joplin Server logs to a centralized log analytics platform for retention and correlation with share lifecycle events
- Alert on unexpected access to note content by users whose share permissions were recently modified
How to Mitigate CVE-2026-34600
Immediate Actions Required
- Upgrade Joplin Server to version 3.5.3 or later, which contains the fix for both the delta authorization gap and the compression logic flaw
- Audit recent share revocations and review delta API access logs for accounts that may have retrieved revoked notes
- Rotate or revise note content that may have been disclosed to users whose access was previously revoked
Patch Information
The vulnerability is fixed in Joplin version 3.5.3. The fix addresses both the missing authorization check in ChangeModel.delta and the unsafe create-delete compression behavior. Review the GitHub Pull Request #14289 and the GitHub Issue #14110 for the upstream discussion of the prior incomplete fix and the additional remediation applied in 3.5.3.
Workarounds
- If immediate upgrade is not possible, disable the DELTA_INCLUDES_ITEMS option so that the delta API does not attach the latest item state to responses
- Limit share usage on sensitive notebooks until the server is upgraded to 3.5.3
- Restrict network access to the Joplin Server delta endpoints to trusted clients while remediation is pending
# Configuration example: disable item payloads in delta responses
# Set the following environment variable before starting Joplin Server
export DELTA_INCLUDES_ITEMS=0
# Then restart the service
systemctl restart joplin-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
