CVE-2026-34600
Joplin Note-Taking App Delta API Access Issue
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joplin | joplin | to 3.5.3 (exc) |
| joplin | joplin | 3.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Joplin Server versions 3.5.2 and earlier allows unauthorized users to access notes they no longer have permission to view due to a logic error in the delta API. This exposure of restricted note content could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Since the flaw results in unauthorized disclosure of user data, organizations using affected versions of Joplin may face risks related to data privacy and confidentiality obligations under these regulations until the issue is patched in version 3.5.3.
Can you explain this vulnerability to me?
This vulnerability exists in Joplin versions 3.5.2 and earlier, in the delta API used for sharing notes. Due to a logic error, the API can return notes to share recipients even after those notes are no longer shared with them.
Specifically, when the DELTA_INCLUDES_ITEMS feature is enabled (which is the default), the API attaches the latest state of items without verifying if the requesting user still has access. The removal logic only filters items deleted for all users, not for individual users.
Additionally, the change compression logic incorrectly treats some create-delete sequences as no-operations, causing deletions to be dropped in certain cases. This results in the API returning a create event with the full content of a deleted item, exposing notes that the user should no longer access.
This issue was fixed in version 3.5.3.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to notes that a user should no longer have access to. Share recipients may be able to download and view notes that have been unshared with them.
Such unauthorized exposure of potentially sensitive or private information can compromise confidentiality and privacy.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Joplin to version 3.5.3 or later, where the issue has been fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Joplin Server's delta API returning notes that a user should no longer have access to due to a logic error in handling shared item states.
Detection can be approached by monitoring or intercepting sync API calls to the delta endpoint and verifying if notes or items returned include content that should have been unshared or deleted for the requesting user.
A practical method is to use Joplin's sync fuzzer or similar testing tools to simulate a user syncing notes after unsharing or deleting them, and checking if the delta API response still contains those notes.
Specific commands are not provided in the available resources, but you can use network traffic inspection tools (e.g., curl, Postman) to send authenticated requests to the delta API endpoint and analyze the returned data for unauthorized note content.