Security update: Joplin Server vulnerability addressed in version 3.3.3

We recently identified a vulnerability in Joplin Server that could potentially allow privilege escalation by exploiting an API endpoint.

Fix in version 3.3.3

The vulnerability has been fixed in Joplin Server version 3.3.3 and we strongly recommend all users to upgrade to this version as soon as possible to ensure the security of their systems.

Impact on Joplin Cloud

While Joplin Cloud may have been affected, it uses a separate domain for the API, which means the known proof of concept does not work on Joplin Cloud. Additionally our logs have been inspected over the past 12 months, and no attempts to exploit this vulnerability were detected. Joplin Cloud has now been upgraded to the fixed version to ensure continued security.

Next steps

We will provide more details about the vulnerability soon. In the meantime, please ensure that your Joplin Server is updated to version 3.3.3.

If you have any question please ask here.

Appreciate the notice! I just got up and running with version 3.3.2 on my Raspberry Pi. I will be upgrading tonight.

Thanks for fixing this security issue !

I have successfully updated my Joplin server, according docker history:
ARG VERSION=3.3.3-beta

However, the admin page still shows v3.0.1, which can be confusing:
Joplin Server v3.0.1, copyright © 2021-2025 JOPLIN.

Then you're still running 3.0.1. Make sure your configuration is correct and that the correct Docker image is deployed

Issue fixed, now "Joplin Server v3.3.3" is shown.
Thank you Laurent for the hint

Thanks for the disclosure!