CVE-2026-39310: Trilium Notes Auth Bypass Vulnerability

CVE-2026-39310 Overview

CVE-2026-39310 is an authentication bypass vulnerability in Trilium Notes, a cross-platform hierarchical note-taking application. The flaw affects Trilium Desktop versions 0.102.1 and prior when running in an Electron environment. Trilium explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network without a password, API token, or Cross-Site Request Forgery (CSRF) protection. Attackers on a shared network can locate vulnerable instances by scanning for high-range ports and querying the unauthenticated handshake endpoint. The issue is categorized under [CWE-284] Improper Access Control and is fixed in version 0.102.2.

Critical Impact

Unauthenticated network-adjacent attackers can read and modify personal knowledge bases, deliver phishing content, and pivot toward local system compromise on hosts running Trilium Desktop.

Affected Products

• Trilium Notes Desktop version 0.101.3
• Trilium Notes versions 0.102.1 and prior
• Trilium Notes Electron-based desktop builds

Discovery Timeline

• 2026-05-20 - CVE-2026-39310 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-39310

Vulnerability Analysis

The vulnerability resides in the Clipper API authentication logic inside Trilium Desktop. When the application detects an Electron runtime, it deliberately removes the authentication middleware that would otherwise protect Clipper endpoints. The Clipper API is intended for local browser extension integration, so the developers assumed the listener would only be reachable from localhost. In practice, the desktop application binds the HTTP listener to a high port such as 37840 that is reachable from any host on the same network segment. As a result, endpoints including /api/clipper/handshake and /api/clipper/notes accept requests without any credential check.

Root Cause

The root cause is improper access control [CWE-284] tied to environment-based trust assumptions. The code path that registers Clipper routes conditionally bypasses authentication when isElectron is true. No additional binding restrictions, origin checks, or token validation compensate for the removed middleware. CSRF protection is also disabled on the same routes, allowing state-changing requests from any origin.

Attack Vector

An attacker on a corporate LAN, public Wi-Fi, or any shared subnet enumerates open ports using a tool such as nmap, targeting Trilium's typical port range. Once a candidate service responds, the attacker sends an unauthenticated request to the Clipper handshake endpoint. The endpoint returns the application name and protocol version, confirming a Trilium instance. The attacker then issues requests to /api/clipper/notes and related endpoints to read existing notes, inject new notes containing phishing payloads or malicious links, or stage content that may be opened by the legitimate user. Because the desktop client renders content via Electron, injected notes can facilitate further local system compromise.

No verified proof-of-concept code is published with this advisory. Technical specifics are available in the GitHub Security Advisory GHSA-jcvx-vc83-cppw.

Detection Methods for CVE-2026-39310

Indicators of Compromise

• Unexpected inbound TCP connections to port 37840 or nearby high-range ports on hosts running Trilium Desktop.
• HTTP requests to /api/clipper/handshake or /api/clipper/notes originating from non-loopback addresses.
• New or modified notes containing unfamiliar URLs, scripts, or attachments not created by the user.
• Trilium process logs showing API activity outside of normal browser-extension usage patterns.

Detection Strategies

• Monitor host-based firewall logs for external connections to Trilium's listener ports and alert on any non-localhost source.
• Inspect network traffic for HTTP requests containing the path /api/clipper/ from sources other than 127.0.0.1 or ::1.
• Correlate nmap-style port scanning activity on internal subnets with subsequent connections to Trilium ports.

Monitoring Recommendations

• Enumerate endpoints running Trilium Desktop and confirm the installed version is 0.102.2 or later.
• Log and review process network bindings on developer and knowledge-worker workstations to identify exposed local services.
• Establish baseline traffic patterns for the Clipper API and alert on deviations such as remote source addresses.

How to Mitigate CVE-2026-39310

Immediate Actions Required

• Upgrade Trilium Notes Desktop to version 0.102.2 or later on all endpoints.
• Restrict the Trilium listener to localhost using a host-based firewall rule until the upgrade is applied.
• Audit existing note content for unauthorized entries that may have been injected during the exposure window.
• Avoid running Trilium Desktop on untrusted networks such as public Wi-Fi until patched.

Patch Information

The maintainers fixed the issue in Trilium Notes version 0.102.2. The patch reinstates authentication middleware for the Clipper API regardless of the Electron runtime context. See the GitHub Release v0.102.2 for release notes and download links.

Workarounds

• Bind the Trilium HTTP listener to the loopback interface only via local firewall rules blocking inbound traffic to port 37840.
• Disable or remove the Clipper integration if browser-clipping functionality is not required.
• Run Trilium Desktop only on isolated networks or behind a host-based firewall that drops non-loopback connections to its listener port.

# Example host firewall rule to block remote access to Trilium's Clipper port on Linux
sudo iptables -A INPUT -p tcp --dport 37840 ! -s 127.0.0.1 -j DROP