Joplin Server Delta API Logic Error Vulnerability Allowing Unauthorized Note Access

A logic error has been identified in Joplin Server's delta API, affecting versions through 3.5.2. This vulnerability allows share recipients to download notes that are no longer shared with them. The issue arises because the delta API includes the latest state of items without verifying their current sharing status with the user. As a result, deleted items can be incorrectly reported as available, exposing confidential notes to users who should not have access.

Impact

Exploitation of this vulnerability allows users to access notes they should no longer have access to, potentially leading to unauthorized disclosure of confidential information.

Reproduction

The vulnerability can be reproduced by sharing a note with a user, then unsharing it and adding a new client to the user's account. The new client will download the note, including any recent changes, despite the user no longer having access.

Remediation

Users can update to Joplin Server version 3.5.3 or later, where this vulnerability has been fixed.