PT-2026-6798 · Unknown · Trilium Notes
Published
2026-02-06
·
Updated
2026-02-09
·
CVE-2025-68621
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Trilium Notes versions prior to 0.101.0
Description
Trilium Notes is a cross-platform note taking application. A timing attack in the sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes through statistical timing analysis. Successful exploitation enables complete authentication bypass, granting full read/write access to a victim’s knowledge base without password knowledge. The vulnerable endpoint is the sync authentication endpoint. The authentication hashes are recovered byte-by-byte.
Recommendations
Update to version 0.101.0 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Trilium Notes