CVE-2026-34600: CWE-281: Improper Preservation of Permissions in laurent22 joplin
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3.
AI Analysis
Technical Summary
Joplin, an open source note-taking application, has a vulnerability (CVE-2026-34600) in versions prior to 3.5.3 where the delta API improperly preserves permissions. When DELTA_INCLUDES_ITEMS is enabled, the API attaches the latest state of items without verifying if the requesting user still has access. The removal logic only filters items deleted for all users, not those unshared from specific users. Additionally, the change compression logic incorrectly reduces create-delete sequences to no-ops per page, which can drop deletions if create and delete events occur on different pages. This results in the delta API returning create events with full content for notes that should no longer be accessible to the user. The issue is addressed in version 3.5.3.
Potential Impact
An unauthorized user who previously had access to shared notes may continue to receive full content of notes that have been unshared, violating confidentiality. The vulnerability does not affect integrity or availability. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Joplin version 3.5.3. Users should upgrade to version 3.5.3 or later to remediate this issue. Patch status is confirmed by the vendor's release notes indicating the fix in 3.5.3. No additional mitigation steps are indicated.
CVE-2026-34600: CWE-281: Improper Preservation of Permissions in laurent22 joplin
Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Joplin, an open source note-taking application, has a vulnerability (CVE-2026-34600) in versions prior to 3.5.3 where the delta API improperly preserves permissions. When DELTA_INCLUDES_ITEMS is enabled, the API attaches the latest state of items without verifying if the requesting user still has access. The removal logic only filters items deleted for all users, not those unshared from specific users. Additionally, the change compression logic incorrectly reduces create-delete sequences to no-ops per page, which can drop deletions if create and delete events occur on different pages. This results in the delta API returning create events with full content for notes that should no longer be accessible to the user. The issue is addressed in version 3.5.3.
Potential Impact
An unauthorized user who previously had access to shared notes may continue to receive full content of notes that have been unshared, violating confidentiality. The vulnerability does not affect integrity or availability. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Joplin version 3.5.3. Users should upgrade to version 3.5.3 or later to remediate this issue. Patch status is confirmed by the vendor's release notes indicating the fix in 3.5.3. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0dd46fba1db473628b2185
Added to database: 5/20/2026, 3:34:07 PM
Last enriched: 5/20/2026, 3:48:53 PM
Last updated: 5/20/2026, 8:26:43 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.