Obsidian has published two independent security audits of its Sync service — one by Cure53 (October 2024) and one by Trail of Bits (December 2025) — covering the Sync API, server, and cryptography. The Cure53 audit found four low-priority and one medium-priority issue, all resolved, and validated an August 2025 encryption upgrade. The Trail of Bits audit identified eleven issues, most remediated, with three documented as known limitations: a vault-deletion endpoint accessible without login, deterministic file-hash encryption that could theoretically leak file identity under server compromise, and lack of cryptographic binding between file paths and content. Obsidian updated its Sync security documentation to transparently disclose these trade-offs.
Table of contents
BackgroundObsidian Sync audit by Cure53Obsidian Sync audit by Trail of BitsConclusionSort: