CVE-2026-39309: CWE-451: User Interface (UI) Misrepresentation of Critical Information in TriliumNext Trilium
A vulnerability in Trilium Notes versions 0. 102. 1 and earlier allows local attackers to spoof macOS permission prompts by exploiting the app's Node. js mode execution feature. This enables malicious code to request sensitive permissions such as camera, microphone, and access to protected files, with the system prompt appearing as if it originates from the trusted Trilium app. The issue undermines macOS's security model and user interface integrity through social engineering. The vulnerability is fixed in version 0. 102. 2.
AI Analysis
Technical Summary
Trilium Notes, a cross-platform note-taking application, has a vulnerability (CVE-2026-39309) in versions prior to 0.102.2 where the Electron configuration allows local attackers to bypass macOS Transparency, Consent, and Control (TCC) protections via prompt spoofing. The root cause is the RunAsNode fuse feature that permits launching the app in a Node.js mode with the ability to execute arbitrary system commands using the -e flag. Attackers can leverage this to spawn subprocesses that request sensitive permissions, causing macOS to display permission prompts as if they originate from Trilium, thereby misleading users. This can lead to unauthorized access to TCC-protected resources such as screen recording, camera, microphone, and user folders. The vulnerability has a CVSS 3.1 score of 5.5 (medium severity) and was addressed in Trilium version 0.102.2.
Potential Impact
Exploitation allows local attackers to trick users into granting sensitive macOS permissions by displaying spoofed system prompts that appear to come from the trusted Trilium application. This can result in unauthorized access to protected hardware (camera, microphone) and files (Documents, Downloads), compromising user privacy and security. The integrity of macOS's UI security model is undermined, facilitating social engineering attacks.
Mitigation Recommendations
This vulnerability is fixed in Trilium version 0.102.2. Users should upgrade to version 0.102.2 or later to remediate this issue. No additional vendor advisory or patch links are provided, but upgrading to the fixed version is the recommended action.
CVE-2026-39309: CWE-451: User Interface (UI) Misrepresentation of Critical Information in TriliumNext Trilium
Description
A vulnerability in Trilium Notes versions 0. 102. 1 and earlier allows local attackers to spoof macOS permission prompts by exploiting the app's Node. js mode execution feature. This enables malicious code to request sensitive permissions such as camera, microphone, and access to protected files, with the system prompt appearing as if it originates from the trusted Trilium app. The issue undermines macOS's security model and user interface integrity through social engineering. The vulnerability is fixed in version 0. 102. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Trilium Notes, a cross-platform note-taking application, has a vulnerability (CVE-2026-39309) in versions prior to 0.102.2 where the Electron configuration allows local attackers to bypass macOS Transparency, Consent, and Control (TCC) protections via prompt spoofing. The root cause is the RunAsNode fuse feature that permits launching the app in a Node.js mode with the ability to execute arbitrary system commands using the -e flag. Attackers can leverage this to spawn subprocesses that request sensitive permissions, causing macOS to display permission prompts as if they originate from Trilium, thereby misleading users. This can lead to unauthorized access to TCC-protected resources such as screen recording, camera, microphone, and user folders. The vulnerability has a CVSS 3.1 score of 5.5 (medium severity) and was addressed in Trilium version 0.102.2.
Potential Impact
Exploitation allows local attackers to trick users into granting sensitive macOS permissions by displaying spoofed system prompts that appear to come from the trusted Trilium application. This can result in unauthorized access to protected hardware (camera, microphone) and files (Documents, Downloads), compromising user privacy and security. The integrity of macOS's UI security model is undermined, facilitating social engineering attacks.
Mitigation Recommendations
This vulnerability is fixed in Trilium version 0.102.2. Users should upgrade to version 0.102.2 or later to remediate this issue. No additional vendor advisory or patch links are provided, but upgrading to the fixed version is the recommended action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T19:31:07.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0cfde2ba1db47362fd9f0d
Added to database: 5/20/2026, 12:18:42 AM
Last enriched: 5/20/2026, 12:33:32 AM
Last updated: 5/20/2026, 3:19:31 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.