Docker
CVE-2026-33194
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The IsSensitivePath() function in kernel/util/path.go uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt (application data), /usr (local configs/binaries), /home (other users), /mnt and /media (mounted volumes). The globalCopyFiles and importStdMd endpoints rely on IsSensitivePath as their primary defense against reading files outside the workspace.
Details
Current denylist in kernel/util/path.go:391-405:
prefixes := []string{
"/.", // dotfiles
"/etc", // system config
"/root", // root home
"/var", // variable data
"/proc", // process info
"/sys", // sysfs
"/run", // runtime data
"/bin", // binaries
"/boot", // boot files
"/dev", // devices
"/lib", // libraries
"/srv", // service data
"/tmp", // temp files
}NOT blocked:
/opt- commonly contains application data, databases, credentials. In SiYuan Docker,/opt/siyuan/contains the application itself./usr- contains/usr/local/etc,/usr/local/share, custom configs/home- other users' home directories (only~/.sshand~/.configof the current HomeDir are blocked via separate checks, but other users' homes are accessible)/mnt,/media- mounted volumes, network shares, often containing secrets/snap- snap package data/sbin,/lib64- system binaries/libraries
The globalCopyFiles endpoint at kernel/api/file.go:82 uses IsSensitivePath as its sole path validation:
if util.IsSensitivePath(absSrc) {
// reject
continue
}
// File is copied into workspace - then readable via /api/file/getFilePoC
# Read SiYuan's own application files from /opt (Docker deployment)
curl -s 'http://127.0.0.1:6806/api/file/globalCopyFiles' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"srcs":["/opt/siyuan/kernel/SiYuan-Kernel"],"destDir":"data/assets"}'
# Then read the copied file from workspace
curl -s 'http://127.0.0.1:6806/api/file/getFile' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"path":"data/assets/SiYuan-Kernel"}'
# Read files from mounted volumes
curl -s 'http://127.0.0.1:6806/api/file/globalCopyFiles' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"srcs":["/mnt/secrets/credentials.json"],"destDir":"data/assets"}'Impact
- Read arbitrary files from
/opt,/usr,/home,/mnt,/mediaand any other non-denylisted path - In Docker deployments: read application source code, configs, mounted secrets
- The denylist approach is fundamentally flawed - any newly added filesystem path is accessible until explicitly blocked
Recommended Fix
Switch from a denylist to an allowlist approach. Only permit copying from the workspace directory and explicitly approved external paths:
func IsSensitivePath(p string) bool {
absPath := filepath.Clean(p)
// Allowlist: only workspace and configured safe directories
if strings.HasPrefix(absPath, WorkspaceDir) {
// Block workspace-internal sensitive paths (conf/)
if strings.HasPrefix(absPath, filepath.Join(WorkspaceDir, "conf")) {
return true
}
return false
}
// Everything outside workspace is sensitive by default
return true
}AnalysisAI
Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.
Technical ContextAI
SiYuan is a Go-based note-taking application (identified via CPE pkg:go/github.com_siyuan-note_siyuan_kernel) that implements a file management API with endpoints at kernel/api/file.go for handling file operations. The root cause (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from the IsSensitivePath() function in kernel/util/path.go which employs a denylist-based validation strategy at lines 391-405. This function is designed to prevent path traversal attacks by blocking known-sensitive directories (/etc, /root, /var, /proc, /sys, /run, /bin, /boot, /dev, /lib, /srv, /tmp, and dotfiles), but the allowlist approach was rejected in favor of blocking only explicitly-known sensitive paths. The globalCopyFiles endpoint at kernel/api/file.go:82 and importStdMd endpoint rely solely on this incomplete denylist as their primary defense mechanism, with no additional validation layers; when validation passes, files are copied into the workspace directory and subsequently readable via the getFile API endpoint, enabling information disclosure.
RemediationAI
Apply the patch released by the SiYuan project, which should implement an allowlist-based approach restricting file access to the workspace directory and explicitly approved external paths rather than the current denylist strategy (see https://github.com/siyuan-note/siyuan/security/advisories/GHSA-vm69-h85x-8p85 for exact version to upgrade to and patch details). As an interim mitigation for systems that cannot immediately patch, restrict API token issuance to minimal necessary users, implement network-level access controls limiting exposure of the SiYuan API port (default 6806) to trusted networks only, and in Docker deployments, avoid mounting sensitive directories to /mnt or /media unless absolutely necessary. Additionally, deploy host-based file access auditing on the SiYuan process to detect anomalous file reads from sensitive paths, and consider running SiYuan in a restricted container with read-only mounts where feasible.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-vm69-h85x-8p85