Skip to main content

Siyuan CVE-2026-34453

| EUVD-2026-17683 HIGH
Incorrect Authorization (CWE-863)
2026-03-31 security-advisories@github.com GHSA-c77m-r996-jr3q
Authentication Bypass Siyuan
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 22:22 euvd
EUVD-2026-17683
Analysis Generated
Mar 31, 2026 - 22:22 vuln.today
CVE Published
Mar 31, 2026 - 22:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.

AnalysisAI

Unauthenticated information disclosure in SiYuan personal knowledge management system versions before 3.6.2 allows remote attackers to retrieve confidential content from password-protected documents via the publish service's bookmark API endpoint. The vulnerability bypasses document-level access controls by treating nil authentication contexts as authorized during bookmark filtering, exposing any bookmarked blocks without password verification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access SiYuan publish service
Exploit
Call /api/bookmark/getBookmark endpoint
Execution
Exploit nil context authorization bypass
Impact
Retrieve bookmarked blocks from protected documents
Sign in to reveal

Vulnerability AssessmentAI

Exploitation SiYuan versions prior to 3.6.2 with publish service enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This represents a significant information disclosure risk for organizations and individuals using SiYuan's publish feature to share selective content while protecting sensitive documents. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a SiYuan publish service URL shared by a researcher who has published selected notes while password-protecting documents containing proprietary research data. The attacker sends an unauthenticated GET request to /api/bookmark/getBookmark without providing any password credentials. …
Remediation Vendor-released patch: version 3.6.2. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all SiYuan deployments and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34453 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy