No warnings when clicking on executable files

Once you’ve done the above, delete everything above this line.

Steps to reproduce

Move any executable file into vault > Click File > File is executed without warning

Did you follow the troubleshooting guide? [Y/N] Y

I attempting this in my local vault in restricted mode.

Expected result

I expected the application not to recognize the file extension at all, and not render it in the application. At a minimum, I would have expected a pop up message upon clicking the file.

Actual result

When I clicked on the file (exploitable with .py and .c files), the file was executed without warning. My machine does not have root privileges, so I created a .py file with a test to confirm if executing the script would indeed allow a malicious actor to execute commands through the application. By default, Windows users’ first user is given administrator privileges so this action would successfully execute without the user’s knowledge. Below is the simple script I created to test if clicking the file would execute or open the file for editing:

def check_admin_privileges():
        # Attempt to create a directory in a protected location
    except PermissionError as e:
        input(f"PermissionError: You do not have the required administrative privileges. {e}")
        input("Directory created successfully. You have administrative privileges.")
        # Clean up if the directory was actually created

if __name__ == "__main__":


Obsidian version: v1.6.3
Installer version: v1.5.12
Operating system: Windows 10 Home 10.0.22631
Login status: not logged in
Insider build toggle: off
Live preview: on
Base theme: adapt to system
Community theme: Minimal v7.5.4
Snippets enabled: 0
Restricted mode: on

Custom theme and snippets: for cosmetic issues, please first try updating your theme and disabling your snippets. If still not fixed, please try to make the issue happen in the Sandbox Vault or disable community theme and snippets.

Additional information

It is worth noting, i did locate an earlier post regarding arbitrary code execution with PDF.js files. I thought to go ahead and test that out myself and was unable to get my .js file to execute. It used another simply function to print hello to the console as a proof of concept. This actually didn’t work, which I expected after reading that this has been addressed in an earlier release. When I click on my file, it simply does nothing.

What started my testing of this was that I created an internal link and thought what may happen if I ended the file in a “.py”. I created a file called “”, and nothing special happened. When I opened the directory from the file explorer, I understood why. It updated the file name to actually read “”. Through the explorer, I was able to manually update the name to “” and obsidian simply accepted the updated file in the directory and displayed it int he UI with a lightened “PY” next to the file name. Upon clicking the file, the script was executed with the version of python in PATH. As most OS will ship with python onboard and/or future software will automatically download it as part of its functionality, this could be a problem if users were to accidentally open a file of this kind within in the application.

I do not consider intentionally clicking on a program and running that program a problem/vulnerability.
What’s the difference between clicking on that executable in windows file explorer?

I’ll think about it.

The case of pdf.js is different. There the user was opening a PDF and having an untended program being executed behind the scenes.

I agree I was intentionally trying to click on an executable to see if it would fire, but that wouldn’t be a normal use case. Lets say I send my vault to someone that wouldn’t know any better; They would have no idea they were clicking on an executable or that it won’t open as a file for viewing. Had I run created the file as a “.pyw”, there would also be no terminal presented to the user, effectively executing behind the scenes like the PDF.js issue.

I agree as well that this isn’t much different than clicking the same file in file explorer, but file explorer exposes more details about the file as a default that would lead a user to think twice before clicking on the file. The file extension is very clearly displayed and type of file. The “valid” markdown files would clearly be labeled as such and the potentially malicious files would clearly have differing extensions.

the file extension is displayed.

Anyway, we will revisit this.

Renamed this topic.

1 Like