PatchSiren cyber security CVE debrief
CVE-2026-34600 laurent22 CVE debrief
CVE-2026-34600 is a medium-severity information-disclosure issue in Joplin’s delta API. In affected versions 3.5.2 and earlier, share recipients could receive delta output that included the latest state of notes even after those notes were no longer shared with them. The issue is tied to how item state is attached during delta generation and how page-based change compression can incorrectly collapse a create/delete sequence. Joplin 3.5.3 fixes the problem.
- Vendor
- laurent22
- Product
- joplin
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Administrators and users of Joplin 3.5.2 or earlier, especially in environments where notes are shared between users or devices. Teams that rely on the delta API for synchronization should prioritize patching because the flaw can expose content that should no longer be accessible to a recipient.
Technical summary
According to the published description, ChangeModel.delta includes the latest item state in delta output when DELTA_INCLUDES_ITEMS is enabled, but it does not re-check whether those items are still shared with the requesting user. The existing removal logic only filters items deleted for all users, not items whose share has ended. The change-compression logic also incorrectly treats create followed by delete as a no-op on a per-page basis, which can drop a deletion when events span pages. The result is that the delta API can return a create event for a deleted item with the item’s full latest content attached, exposing notes no longer authorized for the recipient.
Defensive priority
Medium. The CVSS score is 5.7, but the exposure can reveal sensitive note contents to unintended share recipients. Patch promptly if you run affected Joplin versions.
Recommended defensive actions
- Upgrade Joplin to version 3.5.3 or later.
- Review whether your deployment uses shared notebooks or note sharing, since that is the exposure path described in the advisory.
- If you operate synchronization or API-integrating clients, verify they are compatible with the patched release before rollout.
- Treat previously shared content as potentially exposed if unauthorized recipients may have received deltas before remediation.
- Monitor the linked GitHub advisory and release notes for any follow-up guidance.
Evidence notes
This debrief is based only on the supplied CVE record and linked official references. The CVE was published on 2026-05-19 and modified on 2026-05-20. The NVD record lists the vulnerability status as Deferred and includes references to the Joplin issue, pull request, and GitHub Security Advisory. The CVE description states the issue affects Joplin 3.5.2 and earlier and is fixed in 3.5.3.
Official resources
Publicly disclosed on 2026-05-19 and fixed in Joplin 3.5.3.