Obsidian 1.13.1

Here are recurring questions and related user issues:

Has Obsidian (the note‑taking app) had any known security vulnerabilities, and were they fixed?

Yes. Over the years several CVEs have been published and subsequently patched. Examples include CVE‑2023‑2110 (a local file disclosure via app://local/... fixed in 1.2.8), CVE‑2023‑33244 (embedded web pages could call unintended APIs like mic/camera; fixed in 1.2.2), CVE‑2023‑27035 (Canvas 1.1.9 allowed embedded sites to trigger notifications and record audio; addressed in later releases), CVE‑2022‑36450 (a custom‑scheme issue leading to possible RCE; fixed in 0.15.5), and CVE‑2021‑38148 (non‑HTTP(S) URL confirmation bypass; fixed in 0.12.12).

Are community plugins safe, and what real problems have users encountered?

Community plugins run JavaScript with access to your vault and can make network requests. Obsidian mitigates risk with "Restricted mode" (formerly "Safe mode"), an initial review before a plugin enters the official directory, and developer rules (for example, no client‑side telemetry). However, the team does not review every plugin update; users have previously flagged issues such as a plugin sending telemetry and being removed from the store.

Is Obsidian Sync truly end‑to‑end encrypted (E2EE), and can users verify it themselves?

Obsidian Sync uses end‑to‑end encryption so that only you hold the keys; even file names are encrypted. The team published a step‑by‑step guide showing how to independently verify E2EE in your own vault, and they periodically upgrade the encryption scheme.

Are my local Obsidian notes encrypted at rest by default?

No. By design, Obsidian stores your notes as plain‑text Markdown files in a local "vault" folder. Local‑at‑rest encryption is left to the user or the operating system (for example, FileVault, BitLocker, LUKS) or third‑party tools/containers; Obsidian's privacy posture emphasizes local‑first storage, with optional E2EE only when using Sync.

Can embedded web content or iframes inside notes access my camera/microphone or otherwise break out?

Historically there were vulnerabilities where embedded pages could invoke sensitive APIs. Notably, CVE‑2023‑33244 allowed calls to mic/camera/notifications from an embedded page (fixed in 1.2.2), and CVE‑2023‑27035 affected Canvas embeds (fixed in later 1.1.x builds). Keeping Obsidian current mitigates these; the issues were disclosed and patched.

Could a malicious link executed from Obsidian cause code execution or data exfiltration?

Earlier releases had scheme‑handling issues. CVE‑2022‑36450 (pre‑0.15.5) involved obsidian://hook-get-address leading to remote code execution, and CVE‑2023‑2110 (pre‑1.2.8) allowed local file disclosure via a crafted page. Both were fixed quickly; users should update promptly and be cautious with untrusted links or notes imported from unknown sources.

Have there been plugin‑specific security vulnerabilities?

Yes. A prominent example is the Dataview plugin vulnerability (CVE‑2021‑42057), which allowed "eval injection" that could execute attacker‑controlled code when opening a malicious Markdown file; mitigations landed in Dataview 0.4.13. See CVE‑2021‑42057 (NVD) and the plugin’s own issue thread documenting the flaw and fix.

What independent audits exist for Obsidian?

Obsidian commissions annual third‑party audits by Cure53 covering the desktop and mobile clients. The 2023 and 2024 assessments included penetration testing and source‑code review; Cure53 reported that all identified issues were addressed. You can read the summaries and the full reports from Obsidian’s Security page.

Does Obsidian collect telemetry or send my content to its servers?

The core app does not collect telemetry, and you can run it entirely offline. Obsidian connects to the internet only for features you opt into (for example, checking for updates, browsing the community directory, or using Sync/Publish), and community plugins listed in the official directory are prohibited from capturing client‑side telemetry.

What network calls does Obsidian make, and can enterprises restrict them?

The "Security considerations for teams" page enumerates the domains used for updates, account/license checks, Sync, and Publish; it also notes that these HTTPS connections can be blocked by domain firewalling or application lockdown if you require an offline deployment.

Are Obsidian Publish sites private or indexed by search engines, and can I password‑protect them?

Publish is public by default, but you can set a site‑wide password; note‑level passwords are not supported. There is also an option to disallow search engine indexing in site options.

Where are Obsidian Sync servers hosted, and can I pick a region?

Obsidian Sync runs on DigitalOcean infrastructure with geo‑regional hosting options that are selected when you first set up a remote vault. The Sync security page documents current locations and how region selection works.

Please note: These references and incidents are specific to Obsidian the note‑taking app (obsidian.md). They do not refer to similarly named products such as Plesk “Obsidian” or the cybersecurity vendor “Obsidian Security,” which have unrelated CVEs and policies.