Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 93%

CVE-2026-39309: CWE-451: User Interface (UI) Misrepresentation of Critical Information in TriliumNext Trilium

0
Medium
VulnerabilityCVE-2026-39309cvecve-2026-39309cwe-451cwe-290
Published: 05/19/2026 (05/19/2026, 23:54:46 UTC)
Source: CVE Database V5
Vendor/Project: TriliumNext
Product: Trilium

Description

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of the trusted app. The root cause is that the RunAsNode fuse allows launching the app in a special Node.js mode using -e to execute arbitrary system commands with Trilium Notes's permissions and identity. An attacker can leverage this through a subprocess to request any sensitive permissions, such as access to hardware (camera, microphone) and TCC-protected files, causing the TCC system prompt to appear as if the request came from Trilium rather than the attacker's code, because macOS treats the subprocess as part of the parent application. Exploitation allows access to TCC-protected resources like the screen, camera, microphone, and folders such as ~/Documents and ~/Downloads, undermining macOS's security model and UI integrity through social engineering. This issue has been fixed in version 0.102.2.

CVSS v3.1

Score 5.5medium

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected software

GitHub Actionsmore threats →ai
triliumnext/Trilium
pkg:github/triliumnext/Trilium
Affected versions
<0.102.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 05/20/2026, 00:33:32 UTC

Technical Analysis

Trilium Notes, a cross-platform note-taking application, has a vulnerability (CVE-2026-39309) in versions prior to 0.102.2 where the Electron configuration allows local attackers to bypass macOS Transparency, Consent, and Control (TCC) protections via prompt spoofing. The root cause is the RunAsNode fuse feature that permits launching the app in a Node.js mode with the ability to execute arbitrary system commands using the -e flag. Attackers can leverage this to spawn subprocesses that request sensitive permissions, causing macOS to display permission prompts as if they originate from Trilium, thereby misleading users. This can lead to unauthorized access to TCC-protected resources such as screen recording, camera, microphone, and user folders. The vulnerability has a CVSS 3.1 score of 5.5 (medium severity) and was addressed in Trilium version 0.102.2.

Potential Impact

Exploitation allows local attackers to trick users into granting sensitive macOS permissions by displaying spoofed system prompts that appear to come from the trusted Trilium application. This can result in unauthorized access to protected hardware (camera, microphone) and files (Documents, Downloads), compromising user privacy and security. The integrity of macOS's UI security model is undermined, facilitating social engineering attacks.

Mitigation Recommendations

This vulnerability is fixed in Trilium version 0.102.2. Users should upgrade to version 0.102.2 or later to remediate this issue. No additional vendor advisory or patch links are provided, but upgrading to the fixed version is the recommended action.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-04-06T19:31:07.265Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a0cfde2ba1db47362fd9f0d

Added to database: 05/20/2026, 00:18:42 UTC

Last enriched: 05/20/2026, 00:33:32 UTC

Last updated: 07/07/2026, 10:33:23 UTC

Views: 105

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses