Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3.
Published: 2026-05-19
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in Joplin Server’s delta API allows recipients of previously shared notes to receive the full content of notes that have been revoked, exposing confidential information. The flaw stems from the API failing to verify that returned items remain shared with the requesting user and from incorrect change compression logic that can leave a delete operation ineffective. This results in a confidentiality breach categorized by CWE‑200, CWE‑281, and CWE‑863.

Affected Systems

The vulnerability affects the Joplin note‑taking application from vendor laurent22. Versions 3.5.2 and earlier are impacted; users of those releases should verify the installed version.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity that allows data exposure when the API is called. No EPSS score was reported and the vulnerability is not listed in CISA KEV, suggesting the exploit likelihood is currently unknown. However, because the issue arises from an authenticated API call, any user with access to the delta endpoint for a previously shared note can trigger the data leak.

Generated by OpenCVE AI on May 19, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Joplin to version 3.5.3 or newer, which implements a fix for the delta API logic.
  • If an upgrade cannot be performed immediately, disable the delta API’s inclusion of latest items (DELTA_INCLUDES_ITEMS) for users who have had shares revoked, or otherwise prevent them from accessing delta endpoints until the patch is applied.
  • Verify that revoked share permissions are correctly enforced in your deployment and monitor delta API usage for unexpected data exposure.

Generated by OpenCVE AI on May 19, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Laurent 22
Laurent 22 joplin
Vendors & Products Laurent 22
Laurent 22 joplin

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3.
Title Joplin Server delta API returns note content after share access is revoked
Weaknesses CWE-200
CWE-281
CWE-863
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Laurent 22 Joplin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T14:10:38.820Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34600

cve-icon Vulnrichment

Updated: 2026-05-20T14:10:27.788Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T23:16:57.290

Modified: 2026-05-20T16:16:25.463

Link: CVE-2026-34600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses