Cyber Resilience

CVE-2025-68621

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0004 11.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68621 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Triliumnotes Trilium. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

Trilium Notes, an open-source cross-platform hierarchical note-taking application designed for building large personal knowledge bases, is affected by CVE-2025-68621. This critical timing attack vulnerability, classified under CWE-208 (Observable Timing Discrepancy), exists in the sync authentication endpoint in versions prior to 0.101.0. It enables attackers to recover HMAC authentication hashes byte-by-byte via statistical timing analysis, with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated remote attackers can exploit this vulnerability over the network by sending crafted authentication requests and measuring response times with high precision. Through repeated statistical analysis, they can reconstruct the full HMAC hash without knowing the password, achieving complete authentication bypass. Successful exploitation grants full read/write access to the victim's knowledge base.

The vulnerability is addressed in Trilium Notes version 0.101.0. Security practitioners should upgrade to this version immediately. Additional mitigation details are available in the GitHub security advisory at https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x and the fixing pull request at https://github.com/TriliumNext/Trilium/pull/8129.

EU & UK References

Vulnerability details

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes…

more

byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Timing attack enables remote authentication bypass on the exposed sync endpoint of a public-facing application, directly matching T1190 for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-42512Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2026-42602Shared CWE-208
CVE-2026-47783Shared CWE-208
CVE-2024-13939Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2026-47373Shared CWE-208
CVE-2025-70949Shared CWE-208

Affected Assets

triliumnotes
trilium
≤ 0.101.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations at the sync endpoint; the timing flaw permits complete bypass of that enforcement.

prevent

Requires secure management and verification of authenticators (HMAC hashes), which constant-time comparison would satisfy.

prevent

Obscures authentication feedback; timing discrepancies constitute observable feedback that enables the byte-by-byte attack.

References