CVE-2025-68621

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Assigner: GitHub_M
Reserved: 19.12.2025 Published: 06.02.2026 Updated: 06.02.2026

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	TriliumNext
Product	Trilium
Versions	Version < 0.101.0 is affected

Vendor

TriliumNext

Product

Trilium

Versions

Version < 0.101.0 is affected

References

Problem Types

CWE-208: Observable Timing Discrepancy CWE

CVE-2025-68621 PUBLISHED

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Metrics

Product Status

References

Problem Types