Skip to main content

Trilium Notes CVE-2026-39309

MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-05-20 security-advisories@github.com
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 20, 2026 - 00:29 vuln.today
Analysis Generated
May 20, 2026 - 00:29 vuln.today

DescriptionGitHub Advisory

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of the trusted app. The root cause is that the RunAsNode fuse allows launching the app in a special Node.js mode using -e to execute arbitrary system commands with Trilium Notes's permissions and identity. An attacker can leverage this through a subprocess to request any sensitive permissions, such as access to hardware (camera, microphone) and TCC-protected files, causing the TCC system prompt to appear as if the request came from Trilium rather than the attacker's code, because macOS treats the subprocess as part of the parent application. Exploitation allows access to TCC-protected resources like the screen, camera, microphone, and folders such as ~/Documents and ~/Downloads, undermining macOS's security model and UI integrity through social engineering. This issue has been fixed in version 0.102.2.

AnalysisAI

Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.

Technical ContextAI

Trilium Notes is an Electron-based desktop application, meaning it wraps a Chromium browser and a Node.js runtime into a native app bundle. Electron exposes a 'fuses' system - compile-time or post-build flags that toggle runtime capabilities. The RunAsNode fuse, when enabled, allows the Electron binary to be invoked as a generic Node.js interpreter via the ELECTRON_RUN_AS_NODE environment variable or the -e flag, executing arbitrary JavaScript outside the app's intended context but still under the app bundle's macOS process identity and code-signing entitlements. macOS TCC (Transparency, Consent, and Control) grants or denies access to sensitive resources based on the requesting process's bundle identity, not the content of the code it runs. CWE-290 (Authentication Bypass by Spoofing) captures the root cause: the attacker presents a false identity - Trilium Notes - to the macOS security subsystem in order to bypass the trust decision that TCC is supposed to enforce. The affected CPE is the Trilium Notes Electron desktop application up to and including version 0.102.1 on macOS.

Affected ProductsAI

Trilium Notes Electron desktop application versions 0.102.1 and all prior releases are affected on macOS where the RunAsNode Electron fuse is enabled by default. The vulnerability is specific to the desktop (Electron) distribution; server-only or web-only deployments are not affected by this TCC bypass since TCC is a macOS-exclusive permission framework. The vendor advisory is published at https://github.com/TriliumNext/Trilium/security/advisories/GHSA-66pm-8hvq-2wwx and the patched release is documented at https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2. No explicit CPE string was provided in the NVD data at time of analysis.

RemediationAI

Upgrade Trilium Notes to version 0.102.2 immediately. The v0.102.2 release explicitly adds Electron fuses to harden the desktop application and improves application integrity checks, directly disabling the RunAsNode capability that enables this attack. The vendor release notes describe this as an important security fix and strongly encourage immediate update for all users. The release is available at https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 and the advisory is at https://github.com/TriliumNext/Trilium/security/advisories/GHSA-66pm-8hvq-2wwx. For environments where immediate upgrade is not feasible, a compensating control is to revoke any TCC permissions Trilium Notes has already been granted - via System Settings > Privacy & Security - so that even a successful prompt-spoof attack cannot access resources Trilium was never authorized to use. This workaround is imperfect because it may degrade legitimate Trilium functionality and does not prevent the attacker from triggering new prompts; it merely reduces the blast radius by ensuring no pre-authorized grants exist.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy