CVE-2026-39310 TriliumNext CVE debrief

Who should care

Anyone running Trilium Notes Desktop 0.102.1 or earlier, especially on laptops or workstations exposed to shared or untrusted networks such as corporate LANs, guest Wi-Fi, or public Wi-Fi. Security teams should also care because the flaw can expose local note data and allow unauthorized interaction with the application without any credentials.

Technical summary

The core issue is that Trilium detects an Electron environment and then disables authentication middleware for the Clipper API. According to the supplied description and advisory references, that means API endpoints including /api/clipper/notes may be exposed without authentication controls that would normally require a password, API token, or CSRF protection. The advisory also notes an unauthenticated handshake endpoint that returns the application name and protocol version, which can be used to identify a live Trilium instance. The NVD record lists CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L and weaknesses CWE-284 and CWE-306.

Defensive priority

High. This is a network-reachable authentication bypass with no privileges required and no user interaction, so exposed instances should be prioritized for upgrade and exposure review.

Recommended defensive actions

• Upgrade Trilium Notes to version 0.102.2 or later, which the advisory identifies as the fixed release.
• Inventory any Trilium Desktop installations running on versions 0.102.1 and earlier, with attention to systems that may be reachable from the local network.
• Limit network exposure for Trilium-related ports on endpoints and firewalls, especially on shared or untrusted networks.
• Verify whether any Clipper API endpoints are reachable without authentication on affected versions and treat such exposure as sensitive.
• If immediate upgrade is not possible, isolate affected hosts from untrusted networks until remediation is complete.
• Review local notes and application activity for unauthorized access if the service was exposed on a reachable network.

Evidence notes

The CVE record published on 2026-05-20 cites TriliumNext/Trilium release v0.102.2 and GitHub security advisory GHSA-jcvx-vc83-cppw as references. The supplied description states that versions 0.102.1 and prior are affected, that Electron mode disables authentication middleware for the Clipper API, and that the issue is fixed in 0.102.2. The NVD metadata provides the network-exposed, no-privileges CVSS vector and lists CWE-284 and CWE-306. The description also states that Trilium often binds to ports such as 37840 and that the handshake endpoint can confirm a live instance without authentication; these details are taken from the provided source corpus.

Official resources