CVE-2025-68621
Timing Attack in Trilium Notes Sync Enables Full Auth Bypass
Publication date: 2026-02-06
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| triliumnotes | trilium | to 0.101.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Trilium Notes versions prior to 0.101.0. It is a critical timing attack in the sync authentication endpoint that allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte by analyzing the timing of responses. This statistical timing analysis enables attackers to bypass authentication completely without knowing the password.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to gain full read and write access to the victim's knowledge base in Trilium Notes. Since the attacker can bypass authentication without a password, they can view, modify, or delete sensitive personal or organizational information stored within the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Trilium Notes to version 0.101.0 or later, where the critical timing attack vulnerability in the sync authentication endpoint has been fixed.