CVE-2025-68621 HIGH

CVE-2025-68621: Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Vendor Triliumnext
Product Trilium
Weakness CWE-208
Published February 6, 2026
Last update February 9, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated