Description

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

INFO

Published Date :

2026-02-06T21:21:19.308Z

Last Modified :

2026-02-09T15:26:56.399Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68621 vulnerability.

Vendors Products
Triliumnext
  • Trilium
Triliumnotes
  • Trilium
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68621.

URL Resource
https://github.com/TriliumNext/Trilium/pull/8129 cve-icon cve-icon
https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact