Description
Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Relay Server enables real‑time collaboration in Obsidian. Versions 0.9.0 through 0.9.6 contained an authentication bypass in the multi‑document WebSocket endpoints. When authentication is enabled, connections that omit the required token query parameter are treated as fully authorized. As a result, an unauthenticated attacker who knows or can guess a document ID can open the sync WebSocket, read the entire document and modify its contents without possessing a valid token.

Affected Systems

The vulnerability affects all installations of No‑Instructions Relay Server version 0.9.0 through 0.9.6. The fix is available in 0.9.7 and later. Users of earlier or pre‑1.0 builds are also at risk if they use the WebSocket sync features.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity. The EPSS score is not available, but the lack of a KEV listing suggests no known active exploitation yet. The likely attack vector is a network‑based attacker who can reach the Relay Server’s WebSocket endpoints. Given the requirement to know or guess a document ID, an attacker can simply test common identifiers or rely on leaked IDs, then establish a WebSocket connection without a token and gain full read/write access to that document.

Generated by OpenCVE AI on May 12, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Relay Server 0.9.7 or newer, which removes the bypass.
  • Ensure that authentication is enabled and that every WebSocket connection requires a valid token; enforce token presence on the server side.
  • Limit exposure of the WebSocket endpoints by firewalling or requiring TLS with client authentication, reducing the chance of unauthenticated access.
  • Consider disabling the multi‑document sync feature temporarily until the security patch is applied.

Generated by OpenCVE AI on May 12, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared No-instructions
No-instructions relay-server
Vendors & Products No-instructions
No-instructions relay-server

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.
Title Relay Server WebSocket authentication bypass when token is omitted
Weaknesses CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No-instructions Relay-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T12:32:58.746Z

Reserved: 2026-04-30T18:49:06.712Z

Link: CVE-2026-42889

cve-icon Vulnrichment

Updated: 2026-05-13T12:32:04.312Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:42.143

Modified: 2026-05-13T18:21:10.270

Link: CVE-2026-42889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:20Z

Weaknesses