Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35593

CVE-2026-35593: Trilium Notes Path Traversal Vulnerability

CVE-2026-35593 is a path traversal flaw in Trilium Notes that allows authenticated attackers to read sensitive files from the server. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-35593 Overview

CVE-2026-35593 is a Local File Inclusion (LFI) vulnerability in Trilium Notes, an open-source hierarchical note-taking application used to build personal knowledge bases. Versions 0.102.1 and prior allow an authenticated attacker to read arbitrary files from the server's filesystem. The flaw resides in the uploadModifiedFileToAttachment function exposed through the /api/attachments/{attachmentId}/upload-modified-file endpoint. An attacker can substitute attachment content with any server file by supplying its path in the filePath request body parameter. The substituted content is then retrievable through the attachment download endpoint. The issue is fixed in Trilium Notes version 0.102.2.

Critical Impact

Authenticated attackers can read SSH keys, credential files, configuration files, and operating system files, potentially enabling remote code execution and lateral movement to co-hosted applications.

Affected Products

  • Trilium Notes versions 0.102.1 and earlier
  • TriliumNext distribution prior to 0.102.2
  • Self-hosted Trilium server deployments exposing the attachments API

Discovery Timeline

  • 2026-05-20 - CVE-2026-35593 published to NVD
  • 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-35593

Vulnerability Analysis

The vulnerability is a Local File Inclusion issue classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). Trilium Notes accepts a user-controlled filePath parameter inside the JSON body of a POST request to /api/attachments/{attachmentId}/upload-modified-file. The uploadModifiedFileToAttachment handler reads the file at that path from the server filesystem and overwrites the existing attachment's binary content with it. The application does not validate or sanitize the supplied path, so any path the Trilium process can read becomes attachment content. The attacker then issues a GET request to /api/attachments/{attachmentId}/download to retrieve the stolen file.

Root Cause

The root cause is missing path validation in the attachment modification routine. The function trusts a client-supplied filesystem path and uses it directly in a read operation. There is no allowlist of legitimate directories, no normalization to detect traversal sequences, and no check that the path belongs to managed attachment storage. Combined with the attachment download endpoint, this turns a write path into an arbitrary file read primitive.

Attack Vector

Exploitation requires an authenticated session with permission to modify an attachment. The attacker first creates or selects an existing attachment, then sends a POST request to the upload-modified-file endpoint with a JSON body specifying a sensitive target such as /etc/passwd, /root/.ssh/id_rsa, or application configuration files containing API tokens and database credentials. The server overwrites attachment content with the contents of the specified file, and the attacker downloads it. Files readable include SSH private keys, environment configuration, OS files, and secrets belonging to other applications co-hosted on the same server. Refer to the GitHub Security Advisory GHSA-hf4x-22rg-pjjp for additional technical context.

Detection Methods for CVE-2026-35593

Indicators of Compromise

  • POST requests to /api/attachments/{attachmentId}/upload-modified-file containing a filePath value referencing system paths such as /etc/, /root/, /home/*/.ssh/, or application config directories.
  • Attachment download responses whose content type or size deviates significantly from previously stored attachment data.
  • Unexpected modifications to attachment records followed quickly by downloads of those same attachments.

Detection Strategies

  • Inspect Trilium application logs for filePath payloads in upload-modified-file requests and alert on absolute paths outside the configured attachment storage directory.
  • Correlate attachment update events with subsequent download events from the same session within short time windows.
  • Apply web application firewall rules that block request bodies containing path traversal sequences or sensitive file paths on the attachments API.

Monitoring Recommendations

  • Enable verbose API access logging on Trilium and forward logs to a centralized analytics platform for retention and search.
  • Monitor filesystem access by the Trilium process for reads of files outside the application's data directory.
  • Track authenticated user behavior for anomalous attachment write-then-download patterns.

How to Mitigate CVE-2026-35593

Immediate Actions Required

  • Upgrade Trilium Notes to version 0.102.2 or later, which contains the official fix.
  • Rotate any credentials, SSH keys, API tokens, and secrets that were accessible to the Trilium service account, assuming compromise until proven otherwise.
  • Audit Trilium user accounts and revoke sessions or tokens for any unexpected or inactive accounts.

Patch Information

The maintainers fixed the issue in Trilium Notes 0.102.2. Release notes and binaries are available at GitHub Release v0.102.2. The advisory is documented at GitHub Security Advisory GHSA-hf4x-22rg-pjjp.

Workarounds

  • Restrict network access to the Trilium server to trusted users and isolate it from co-hosted applications until patching is complete.
  • Run the Trilium process under a dedicated low-privilege user account whose filesystem access is limited to the application's data directory.
  • Deploy Trilium inside a container or chroot to reduce the scope of readable files if upgrading must be delayed.
bash
# Configuration example: run Trilium under a dedicated user with restricted filesystem scope
sudo useradd -r -s /usr/sbin/nologin trilium
sudo chown -R trilium:trilium /var/lib/trilium
sudo chmod 750 /var/lib/trilium
# systemd hardening directives for the Trilium service unit
# ProtectSystem=strict
# ProtectHome=true
# ReadWritePaths=/var/lib/trilium
# NoNewPrivileges=true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.