CVE-2026-39309 Overview
CVE-2026-39309 affects Trilium Notes, a cross-platform hierarchical note-taking application used for building large personal knowledge bases. Versions 0.102.1 and prior ship an Electron configuration that enables a Transparency, Consent, and Control (TCC) bypass on macOS through prompt spoofing [CWE-290]. A local attacker can launch the trusted Trilium binary in Node.js mode and execute arbitrary commands under Trilium's identity. macOS then presents TCC permission prompts as if they originated from Trilium, tricking users into granting access to the camera, microphone, screen, and protected folders. The issue is fixed in version 0.102.2.
Critical Impact
Local attackers can impersonate Trilium Notes to obtain TCC-protected access to hardware sensors, the screen, and user folders such as ~/Documents and ~/Downloads.
Affected Products
- Trilium Notes versions 0.102.1 and prior (macOS Electron build)
- TriliumNext distribution prior to v0.102.2
- macOS installations relying on TCC for hardware and file access control
Discovery Timeline
- 2026-05-20 - CVE-2026-39309 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39309
Vulnerability Analysis
The flaw is an identity spoofing weakness rooted in Electron's RunAsNode fuse. When this fuse is enabled, the packaged Trilium binary can be invoked with the -e flag to execute arbitrary JavaScript in a Node.js context. The spawned process inherits the bundle identifier, code signature, and TCC entitlements of Trilium Notes.
macOS enforces privacy controls by checking the parent application's identity when a process requests sensitive resources. Because the attacker's subprocess runs under Trilium's signed binary, the operating system attributes the request to Trilium. The user sees a TCC consent dialog naming Trilium and is likely to approve it, granting the attacker access to hardware and protected directories.
Exploitation does not require kernel access or memory corruption. It abuses a legitimate Electron feature combined with macOS's trust model, making it a social engineering and configuration weakness rather than a memory safety bug.
Root Cause
The Electron application was built with the RunAsNode fuse left enabled. This fuse permits the bundled binary to behave as a generic Node.js interpreter, accepting -e and similar arguments. Combined with Trilium's TCC entitlements, this turns the signed app into a confused deputy for any local process that can invoke it.
Attack Vector
A local attacker with code execution as the current user runs the Trilium binary with crafted Node.js arguments. The child process inherits Trilium's identity and issues APIs that trigger TCC prompts for the camera, microphone, screen recording, or file access. The displayed prompt attributes the request to Trilium, increasing the likelihood of user approval.
No synthetic exploitation code is reproduced here. Refer to the GitHub Security Advisory GHSA-66pm-8hvq-2wwx for vendor-confirmed technical details.
Detection Methods for CVE-2026-39309
Indicators of Compromise
- Execution of the Trilium binary with -e, --eval, or ELECTRON_RUN_AS_NODE=1 environment variable set
- Unexpected TCC consent prompts attributing camera, microphone, or screen access to Trilium Notes
- New entries for Trilium in tccutil or /Library/Application Support/com.apple.TCC/TCC.db for sensitive categories
Detection Strategies
- Monitor process creation events for the Trilium executable launched with Node.js-style arguments or ELECTRON_RUN_AS_NODE in its environment
- Alert when child processes of non-Trilium parents spawn the Trilium binary with command-line scripts
- Correlate TCC database modifications with recent Trilium subprocess activity
Monitoring Recommendations
- Ingest macOS EndpointSecurity process and exec telemetry into a centralized analytics pipeline
- Track installed Trilium versions across managed endpoints and flag any host running 0.102.1 or earlier
- Review user-granted TCC permissions periodically and revoke entries for outdated Trilium installations
How to Mitigate CVE-2026-39309
Immediate Actions Required
- Upgrade all macOS endpoints running Trilium Notes to version 0.102.2 or later
- Revoke existing TCC permissions granted to vulnerable Trilium versions before upgrading
- Restrict local execution of unsigned helper scripts that could invoke the Trilium binary
Patch Information
The maintainers released the fix in Trilium v0.102.2, which disables the RunAsNode Electron fuse so the packaged binary no longer accepts arbitrary Node.js execution arguments. See the GitHub Security Advisory GHSA-66pm-8hvq-2wwx for advisory metadata.
Workarounds
- Remove Trilium Notes from macOS hosts until upgrade to 0.102.2 is possible
- Deny Trilium access to camera, microphone, screen recording, and Full Disk Access in System Settings → Privacy & Security
- Apply application allowlisting to prevent non-interactive invocation of the Trilium binary by other processes
# Verify installed Trilium version and reset its TCC permissions on macOS
mdls -name kMDItemVersion /Applications/Trilium\ Notes.app
tccutil reset Camera com.github.trilium-notes
tccutil reset Microphone com.github.trilium-notes
tccutil reset ScreenCapture com.github.trilium-notes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
