CVE-2026-39309

Name of the Vulnerable Software and Affected Versions Trilium Notes versions prior to 0.102.2

Description The Electron configuration allows a TCC Bypass via Prompt Spoofing, where TCC (Transparency, Consent, and Control) is the macOS security framework that manages permissions for sensitive resources. Local attackers can execute malicious code under the identity of the trusted application to trigger misleading permission prompts. This occurs because the RunAsNode fuse enables launching the application in a special Node.js mode using the -e flag to execute arbitrary system commands with the application's permissions. By using a subprocess, an attacker can request access to TCC-protected resources such as the camera, microphone, screen, and folders like ~/Documents and ~/Downloads. Since macOS treats the subprocess as part of the parent application, the system prompt appears to originate from the trusted app, facilitating social engineering attacks.

Recommendations Update to version 0.102.2.