Trilium Notes Authentication Bypass (CVE-2026-39310) Exposes Data

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-284cwe-306
Trilium Notes Authentication Bypass (CVE-2026-39310) Exposes Data

The National Vulnerability Database reports a critical authentication bypass vulnerability, CVE-2026-39310, affecting Trilium Notes versions 0.102.1 and prior. Specifically, the Clipper API in Trilium Desktop (v0.101.3), when running in an Electron environment, explicitly disables authentication middleware. This exposes sensitive endpoints, such as /api/clipper/notes, without requiring a password, API token, or CSRF protection.

This flaw allows an attacker on a shared network—think corporate LANs or public Wi-Fi—to scan for open high-range ports, often used by Trilium (e.g., 37840). An unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a vulnerable Trilium instance. This directly facilitates unauthorized data access, opens avenues for phishing attacks, and can lead to local system compromise. The National Vulnerability Database assigns this a CVSS score of 8.6 (HIGH).

Trilium Notes has addressed this issue in version 0.102.2. Defenders must prioritize patching to mitigate this significant risk. The attacker’s calculus here is straightforward: exploit an explicit design flaw that removes security controls in a specific environment, turning a local network into an open door for data exfiltration and further compromise.

What This Means For You

  • If your organization uses Trilium Notes, especially in shared network environments, you are exposed. Check immediately if you are running Trilium Notes version 0.102.1 or prior. Patch to version 0.102.2 without delay. This isn't a complex exploit; it's a direct authentication bypass that attackers can leverage with basic network scanning.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access T1595.002 Scanning IP Blocks Reconnaissance

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-39310 - Trilium Notes Unauthenticated Clipper API Access

Sigma YAML — free preview 
title: CVE-2026-39310 - Trilium Notes Unauthenticated Clipper API Access
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
  Detects unauthenticated access to the Trilium Notes Clipper API endpoint '/api/clipper/notes'. This specific path is exposed due to CVE-2026-39310 in versions prior to 0.102.2 when running in an Electron environment, allowing attackers to bypass authentication and access sensitive data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-39310/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri:
          - '/api/clipper/notes'
      cs-method:
          - 'GET'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-39310 Auth Bypass Trilium Notes versions 0.102.1 and prior
CVE-2026-39310 Auth Bypass Trilium Desktop v0.101.3
CVE-2026-39310 Auth Bypass Clipper API in Electron environment
CVE-2026-39310 Auth Bypass Exposed endpoint /api/clipper/notes without authentication
CVE-2026-39310 Information Disclosure Clipper handshake endpoint revealing application name and protocol version

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4811 — Cross-Site Scripting (XSS)

CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-9149 — Libsolv Buffer Overflow

CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-122
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma