CVE-2026-35593 Overview
CVE-2026-35593 is a Local File Inclusion (LFI) vulnerability in Trilium Notes, an open-source hierarchical note-taking application used to build personal knowledge bases. Versions 0.102.1 and prior allow an authenticated attacker to read arbitrary files from the server's filesystem. The flaw resides in the uploadModifiedFileToAttachment function exposed through the /api/attachments/{attachmentId}/upload-modified-file endpoint. An attacker can substitute attachment content with any server file by supplying its path in the filePath request body parameter. The substituted content is then retrievable through the attachment download endpoint. The issue is fixed in Trilium Notes version 0.102.2.
Critical Impact
Authenticated attackers can read SSH keys, credential files, configuration files, and operating system files, potentially enabling remote code execution and lateral movement to co-hosted applications.
Affected Products
- Trilium Notes versions 0.102.1 and earlier
- TriliumNext distribution prior to 0.102.2
- Self-hosted Trilium server deployments exposing the attachments API
Discovery Timeline
- 2026-05-20 - CVE-2026-35593 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35593
Vulnerability Analysis
The vulnerability is a Local File Inclusion issue classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). Trilium Notes accepts a user-controlled filePath parameter inside the JSON body of a POST request to /api/attachments/{attachmentId}/upload-modified-file. The uploadModifiedFileToAttachment handler reads the file at that path from the server filesystem and overwrites the existing attachment's binary content with it. The application does not validate or sanitize the supplied path, so any path the Trilium process can read becomes attachment content. The attacker then issues a GET request to /api/attachments/{attachmentId}/download to retrieve the stolen file.
Root Cause
The root cause is missing path validation in the attachment modification routine. The function trusts a client-supplied filesystem path and uses it directly in a read operation. There is no allowlist of legitimate directories, no normalization to detect traversal sequences, and no check that the path belongs to managed attachment storage. Combined with the attachment download endpoint, this turns a write path into an arbitrary file read primitive.
Attack Vector
Exploitation requires an authenticated session with permission to modify an attachment. The attacker first creates or selects an existing attachment, then sends a POST request to the upload-modified-file endpoint with a JSON body specifying a sensitive target such as /etc/passwd, /root/.ssh/id_rsa, or application configuration files containing API tokens and database credentials. The server overwrites attachment content with the contents of the specified file, and the attacker downloads it. Files readable include SSH private keys, environment configuration, OS files, and secrets belonging to other applications co-hosted on the same server. Refer to the GitHub Security Advisory GHSA-hf4x-22rg-pjjp for additional technical context.
Detection Methods for CVE-2026-35593
Indicators of Compromise
- POST requests to /api/attachments/{attachmentId}/upload-modified-file containing a filePath value referencing system paths such as /etc/, /root/, /home/*/.ssh/, or application config directories.
- Attachment download responses whose content type or size deviates significantly from previously stored attachment data.
- Unexpected modifications to attachment records followed quickly by downloads of those same attachments.
Detection Strategies
- Inspect Trilium application logs for filePath payloads in upload-modified-file requests and alert on absolute paths outside the configured attachment storage directory.
- Correlate attachment update events with subsequent download events from the same session within short time windows.
- Apply web application firewall rules that block request bodies containing path traversal sequences or sensitive file paths on the attachments API.
Monitoring Recommendations
- Enable verbose API access logging on Trilium and forward logs to a centralized analytics platform for retention and search.
- Monitor filesystem access by the Trilium process for reads of files outside the application's data directory.
- Track authenticated user behavior for anomalous attachment write-then-download patterns.
How to Mitigate CVE-2026-35593
Immediate Actions Required
- Upgrade Trilium Notes to version 0.102.2 or later, which contains the official fix.
- Rotate any credentials, SSH keys, API tokens, and secrets that were accessible to the Trilium service account, assuming compromise until proven otherwise.
- Audit Trilium user accounts and revoke sessions or tokens for any unexpected or inactive accounts.
Patch Information
The maintainers fixed the issue in Trilium Notes 0.102.2. Release notes and binaries are available at GitHub Release v0.102.2. The advisory is documented at GitHub Security Advisory GHSA-hf4x-22rg-pjjp.
Workarounds
- Restrict network access to the Trilium server to trusted users and isolate it from co-hosted applications until patching is complete.
- Run the Trilium process under a dedicated low-privilege user account whose filesystem access is limited to the application's data directory.
- Deploy Trilium inside a container or chroot to reduce the scope of readable files if upgrading must be delayed.
# Configuration example: run Trilium under a dedicated user with restricted filesystem scope
sudo useradd -r -s /usr/sbin/nologin trilium
sudo chown -R trilium:trilium /var/lib/trilium
sudo chmod 750 /var/lib/trilium
# systemd hardening directives for the Trilium service unit
# ProtectSystem=strict
# ProtectHome=true
# ReadWritePaths=/var/lib/trilium
# NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
