2026-05-14 Obsidian Sync Passes Cure53 and Trail of Bits Audits
The Obsidian team just published the results of two independent security audits of Obsidian Sync; one by Cure53 (Berlin, October 2024) and one by Trail of Bits (New York, December 2025). Both cover the Sync API, server, and cryptography. All findings have been addressed via remediations validated by
Canonical version: 2026-05-14 Obsidian Sync Passes Cure53 and Trail of Bits Audits.
The Obsidian team just published the results of two independent security audits of Obsidian Sync; one by Cure53 (Berlin, October 2024) and one by Trail of Bits (New York, December 2025). Both cover the Sync API, server, and cryptography. All findings have been addressed via remediations validated by the auditors themselves.
This is the third batch of audits Obsidian has shared publicly, after the desktop and mobile client audits in January 2024 and December 2024.
What the Auditors Looked At
The two audits target the part of the stack most users never see; the Sync service itself. Not just "is the encryption sound", but the full surface: API endpoints, server behavior, key management, and the encryption upgrade shipped on August 22, 2025 alongside Obsidian 1.9.11.
Cure53 flagged four low-priority issues and one medium-priority issue. Trail of Bits found eleven. Everything that needed fixing got fixed. The rest are documented trade-offs.
The Trade-Offs Worth Knowing About
Two findings from Trail of Bits won't be "fixed" because they're intentional. Obsidian is now explicit about them on their Sync security page:
- Deterministic file-hash encryption. The same file content + same key + same salt produces the same encrypted hash. This is how Sync detects duplicates and avoids re-uploading identical data; it matters for version history and large files. The trade-off is that a compromised server with the ability to force you to upload chosen files could test whether one of your files matches.
- Path-to-content mapping is server-readable. Some metadata is not end-to-end encrypted; who uploaded a file, when, and how encrypted paths map to encrypted content. The server needs this to route changes and keep devices in sync. A compromised server could swap the mapping, but it still couldn't read the underlying content.
I appreciate that Obsidian writes these down clearly instead of glossing over them. Any real-world sync product has to balance confidentiality against performance, storage, and cost. I'd rather see those trade-offs spelled out than hidden.
"Managed Encryption" Is Now "Standard Encryption"
One Cure53 finding I want to call out: the old "managed encryption" mode (server-managed keys instead of end-to-end) was renamed to "standard encryption", and the docs were rewritten to spell out the risk of not picking the default end-to-end option. That naming was misleading; the new wording is much clearer.
If you're on Sync, it's worth a 30-second check that your vault is using end-to-end encryption rather than the standard mode.
My Take
I run Obsidian Sync on multiple devices for my main vault, so honestly this stuff matters to me directly.
Look at what Obsidian actually did here. They paid two well-known security firms to dig into Sync, with no contractual nudge to soften the findings. Both reports are out in public, with everything Cure53 and Trail of Bits found. The bugs that needed fixing got fixed. The handful of things they decided NOT to "fix" (because they're real trade-offs for performance and storage) are documented openly on the security page so you can decide for yourself whether you're OK with them.
That's rare. Most companies sitting on your private notes don't bother. The ones that do an audit usually keep the report internal, or boil it down to a marketing-friendly summary. "We take security very seriously" and that's about it.
Three audits in two years now (the desktop and mobile clients last year, Sync this year). That's a pattern, not a one-off PR move.
The Cure53 report itself captures what I care about most:
It is imperative to acknowledge the swift actions taken by the Obsidian team in working on addressing several of these identified vulnerabilities shortly after the conclusion of the audit.
Finding bugs is the easy part. Fixing them quickly is what tells you whether a team actually cares.
References
- Announcement — Obsidian Sync audited by Cure53 and Trail of Bits
- Obsidian Security page
- Cure53 audit — summary and full report
- Trail of Bits audit — full report
- Sync security page (limitations + standard encryption risks)
- Verify Obsidian Sync's end-to-end encryption
Related
About Sébastien
I'm Sébastien Dubois, and I'm on a mission to help knowledge workers escape information overload. After 20+ years in IT and seeing too many brilliant minds drowning in digital chaos, I've decided to help people build systems that actually work. Through the Knowii Community, my courses, products & services and my Website/Newsletter, I share practical and battle-tested systems.
I write about Knowledge Work, Personal Knowledge Management, Note-taking, Lifelong Learning, Personal Organization, Productivity, and more. I also craft lovely digital products and tools.
If you want to follow my work, then become a member and join our community.
Ready to get to the next level?
If you're tired of information overwhelm and ready to build a reliable knowledge system:
- 📚 KM for Beginners — 10+ hours of structured video lessons
- 🚀 Obsidian Starter Kit — Ready-made vault with 40+ templates
- 💼 Knowledge Worker Kit — Complete guides + lifetime community
- 🦉 1-on-1 Coaching — Personalized guidance
- 🎯 Join Knowii — Community + ALL courses & tools
Found this valuable? Share it with someone who needs it.