EUVD-2026-17683
GHSA-c77m-r996-jr3q
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Analysis
Unauthenticated information disclosure in SiYuan personal knowledge management system versions before 3.6.2 allows remote attackers to retrieve confidential content from password-protected documents via the publish service's bookmark API endpoint. The vulnerability bypasses document-level access controls by treating nil authentication contexts as authorized during bookmark filtering, exposing any bookmarked blocks without password verification. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all SiYuan deployments and document current versions in use. Within 7 days: Evaluate feasibility of upgrading to SiYuan 3.6.2 or later; if immediate upgrade is not possible, restrict network access to the publish service bookmark API endpoint and disable the bookmark publishing feature. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today