Unrated severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

CVE-2025-68621

Description

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Affected products

Triliumnext/Triliumv5
Range: < 0.101.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/TriliumNext/Trilium/pull/8129mitrex_refsource_MISC
github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3xmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000