CVE-2026-34600

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.5.3

Description A logic error in the delta API allows share recipients to download notes that are no longer shared with them. In the ChangeModel.delta function, when DELTA INCLUDES ITEMS is enabled, the latest state of items is attached to the delta output without verifying if the requesting user still has access, as the removal logic only filters items deleted for all users. Furthermore, the change compression logic incorrectly reduces a create-delete sequence to a NOOP (No Operation). Because compression is applied per page, if an earlier create event is on a different page than a subsequent create-delete pair, the deletion is dropped. This causes the delta API to return a create event for a deleted item including its full latest content.

Recommendations Update to version 3.5.3.