CVE-2025-68621

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TriliumNext/Trilium/pull/8129	Issue Tracking Patch
https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x	Exploit Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:triliumnotes:trilium:*:*:*:*:*:*:*:*

History

24 Feb 2026, 15:14

Type	Values Removed	Values Added
First Time		Triliumnotes trilium Triliumnotes
CPE		cpe:2.3:a:triliumnotes:trilium::::::::
References	~~() https://github.com/TriliumNext/Trilium/pull/8129 -~~	() https://github.com/TriliumNext/Trilium/pull/8129 - Issue Tracking, Patch
References	~~() https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x -~~	() https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x - Exploit, Mitigation, Patch, Vendor Advisory
Summary		(es) Trilium Notes es una aplicación jerárquica para tomar notas de código abierto y multiplataforma, con enfoque en la construcción de grandes bases de conocimiento personales. Antes de 0.101.0, una crítica vulnerabilidad de ataque de temporización en el punto final de autenticación de sincronización de Trilium permite a atacantes remotos no autenticados recuperar hashes de autenticación HMAC byte a byte mediante análisis estadístico de temporización. Esto permite una omisión completa de autenticación sin conocimiento de la contraseña, otorgando acceso completo de lectura/escritura a la base de conocimiento de la víctima. Esta vulnerabilidad está corregida en 0.101.0.

06 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-06 22:16

Updated : 2026-02-24 15:14

NVD link : CVE-2025-68621

Mitre link : CVE-2025-68621

CVE.ORG link : CVE-2025-68621

JSON object : View

Products Affected

triliumnotes

trilium

CWE

CWE-208

Observable Timing Discrepancy

7.4 /10