CVE-2026-39310: CWE-284: Improper Access Control in TriliumNext Trilium
CVE-2026-39310 is an improper access control vulnerability in Trilium Notes versions prior to 0. 102. 2. The Clipper API in Trilium Desktop disables authentication middleware when running in an Electron environment, exposing endpoints without password, API token, or CSRF protection. This allows an attacker on a shared network to discover and access the API unauthenticated, potentially leading to unauthorized data access, phishing, and local system compromise. The issue is fixed in version 0. 102. 2.
AI Analysis
Technical Summary
Trilium Notes versions 0.102.1 and earlier contain an authentication bypass vulnerability in the Clipper API when running in an Electron environment. The application disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes without any authentication or CSRF protection. Attackers on shared networks can scan for open ports typically used by Trilium, confirm the service by querying the Clipper handshake endpoint, and then access the API without credentials. This vulnerability is tracked as CVE-2026-39310 and is classified under CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function). The vulnerability has a CVSS 3.1 base score of 8.6, indicating high severity. The issue is resolved in Trilium version 0.102.2.
Potential Impact
An attacker on a shared network can bypass authentication to access the Clipper API of Trilium Notes, potentially leading to unauthorized access to user data, phishing attacks, and local system compromise. The vulnerability affects confidentiality, integrity, and availability to varying degrees as indicated by the CVSS vector (C:L/I:H/A:L).
Mitigation Recommendations
Upgrade Trilium Notes to version 0.102.2 or later, where this authentication bypass vulnerability has been fixed. No other mitigation is specified or required once the update is applied.
CVE-2026-39310: CWE-284: Improper Access Control in TriliumNext Trilium
Description
CVE-2026-39310 is an improper access control vulnerability in Trilium Notes versions prior to 0. 102. 2. The Clipper API in Trilium Desktop disables authentication middleware when running in an Electron environment, exposing endpoints without password, API token, or CSRF protection. This allows an attacker on a shared network to discover and access the API unauthenticated, potentially leading to unauthorized data access, phishing, and local system compromise. The issue is fixed in version 0. 102. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Trilium Notes versions 0.102.1 and earlier contain an authentication bypass vulnerability in the Clipper API when running in an Electron environment. The application disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes without any authentication or CSRF protection. Attackers on shared networks can scan for open ports typically used by Trilium, confirm the service by querying the Clipper handshake endpoint, and then access the API without credentials. This vulnerability is tracked as CVE-2026-39310 and is classified under CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function). The vulnerability has a CVSS 3.1 base score of 8.6, indicating high severity. The issue is resolved in Trilium version 0.102.2.
Potential Impact
An attacker on a shared network can bypass authentication to access the Clipper API of Trilium Notes, potentially leading to unauthorized access to user data, phishing attacks, and local system compromise. The vulnerability affects confidentiality, integrity, and availability to varying degrees as indicated by the CVSS vector (C:L/I:H/A:L).
Mitigation Recommendations
Upgrade Trilium Notes to version 0.102.2 or later, where this authentication bypass vulnerability has been fixed. No other mitigation is specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T19:31:07.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0e0ccfba1db473629e776b
Added to database: 5/20/2026, 7:34:39 PM
Last enriched: 5/20/2026, 7:49:05 PM
Last updated: 5/21/2026, 5:51:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.