Skip to main content

Trilium Notes CVE-2026-35593

MEDIUM
Path Traversal (CWE-22)
2026-05-20 security-advisories@github.com
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 20, 2026 - 00:29 vuln.today
Analysis Generated
May 20, 2026 - 00:29 vuln.today

DescriptionGitHub Advisory

Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the server's filesystem. The uploadModifiedFileToAttachment function, which is called when a POST request is received to /api/attachments/{attachmentId}/upload-modified-file, replaces the content of the attachment with the content from another file (whose path is provided in filePath of Request body). After which the content of the attachment can be viewed at /api/attachments/{attachmentId}/download. This exposes sensitive system files such as SSH keys, credentials, configs, and OS files, potentially leading to remote code execution and compromise of co-hosted applications. This issue has been fixed in version 0.102.2.

AnalysisAI

Path traversal via the attachment upload API in Trilium Notes 0.102.1 and prior allows an authenticated high-privilege attacker to read arbitrary files from the server's filesystem by supplying a controlled file path in a POST request body. The two-step exploitation pattern - POST to /api/attachments/{attachmentId}/upload-modified-file to stage a file, then GET from /api/attachments/{attachmentId}/download to retrieve its contents - effectively turns the attachment system into an unauthenticated file disclosure proxy once the initial write is performed. The CVSS Changed scope (S:C) reflects that exposed materials such as SSH keys, database credentials, and application configs can cascade into compromise of co-hosted services well beyond Trilium itself. No public exploit or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

Trilium Notes is a Node.js-based hierarchical knowledge base application (TriliumNext/Trilium) that exposes a REST API for managing notes and attachments. The vulnerable code path is the uploadModifiedFileToAttachment handler, which processes POST /api/attachments/{attachmentId}/upload-modified-file requests. The filePath parameter in the JSON request body is accepted without path traversal sanitization - a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) failure. The handler reads the file at the attacker-supplied path and overwrites the specified attachment's stored content with it. Because Trilium runs as a server process with access to the underlying OS filesystem, any file readable by the Trilium process user is accessible. The CVSS vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N confirms network delivery, low complexity, no user interaction, high confidentiality impact, and scope change indicating lateral impact beyond the application boundary.

Affected ProductsAI

Trilium Notes versions 0.102.1 and all prior releases are affected across all supported platforms (Windows, Linux, macOS desktop via Electron, and self-hosted server deployments). The vulnerability is tracked under GitHub Security Advisory GHSA-hf4x-22rg-pjjp. No CPE string was provided in the source intelligence; affected builds correspond to TriliumNext/Trilium repository releases up to and including v0.102.1. The vendor advisory and fixed release are available at https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hf4x-22rg-pjjp and https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2.

RemediationAI

Upgrade to Trilium Notes v0.102.2 immediately - the vendor release notes explicitly flag this as a critical security release and strongly encourage immediate update for all users. The fix is confirmed in the GitHub release at https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2, which also aligns attachment upload validation with note upload validation and adds MIME type checks. If immediate upgrade is not feasible, restrict network access to the Trilium API port at the firewall or reverse proxy layer to trusted IP ranges only, preventing unauthenticated network reachability to the attachment upload endpoint - note this does not eliminate risk from a compromised internal admin account. Additionally, audit the Trilium process user's OS permissions and ensure it runs under a dedicated low-privilege account with a restricted home directory, reducing the blast radius of any successful file read. Rotate any credentials or SSH keys stored in paths accessible to the Trilium process user as a precautionary measure if the instance was internet-exposed.

Share

CVE-2026-35593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy