CVE-2026-39310
Authentication Bypass in Trilium Notes Clipper API
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trilium | trilium | to 0.102.2 (exc) |
| trilium | trilium | 0.102.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39310 is an authentication bypass vulnerability in the Clipper API of Trilium Desktop versions 0.102.1 and prior when running in an Electron environment.
The application disables authentication middleware for the Clipper API if it detects it is running inside Electron, exposing endpoints such as /api/clipper/notes without requiring a password, API token, or CSRF protection.
An attacker on a shared network can scan for open high-range ports to find Trilium instances and then send unauthenticated requests to confirm the presence of the application and exploit the exposed API.
This allows unauthorized access to user data, injection of malicious content, phishing attacks, and potential local system compromise.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data access since attackers can bypass authentication and access private notes and information stored in Trilium.
Attackers can inject malicious content into a user's private database, which can be used for phishing or further compromise of the local system.
Because the attack can be performed remotely over a network without any user interaction, it poses a high risk to users on shared or public networks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning your network for open high-range ports that Trilium often binds to, such as port 37840.
Once a candidate port is found, you can send an unauthenticated request to the Clipper handshake endpoint to confirm a Trilium instance. This endpoint returns the application name and protocol version, indicating the presence of the vulnerable service.
A common tool for scanning ports is nmap. For example, you can run the following command to scan for open ports in the range 37000-38000 on a target IP:
- nmap -p 37000-38000 <target-ip>
After identifying an open port, you can use curl or a similar HTTP client to send a request to the Clipper handshake endpoint, for example:
- curl http://<target-ip>:<port>/api/clipper/handshake
If the response includes the application name and protocol version, it confirms the presence of a vulnerable Trilium instance.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to update Trilium Notes to version 0.102.2 or later, where the issue has been fixed.
This update includes important security fixes that restore authentication middleware for the Clipper API in Electron environments and add additional security measures.
Until you can update, consider restricting network access to the ports used by Trilium (such as 37840) by using firewall rules to block unauthorized access, especially on shared or public networks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to private user data by bypassing authentication in the Trilium Desktop application. This unauthorized access could lead to exposure of sensitive personal or organizational information.
Such exposure and unauthorized access may result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to ensure confidentiality and integrity.
Therefore, until the vulnerability is patched (in version 0.102.2), affected users risk violating these compliance standards due to potential data breaches facilitated by this authentication bypass.