CVE-2026-40259
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An authenticated publish-service reader can invoke /api/av/removeUnusedAttributeView and cause persistent deletion of arbitrary attribute view (AV) definition files from the workspace.
The route is protected only by generic CheckAuth, which accepts publish RoleReader requests. The handler forwards a caller-controlled id directly into a model function that deletes data/storage/av/<id>.json without verifying either:
- that the caller is allowed to perform write/destructive actions; or
- that the target AV is actually unused.
This is a persistent integrity and availability issue reachable from the publish surface.
Root Cause
1. Publish users are issued a RoleReader JWT
ClaimsKeyRole: RoleReader,2. The publish reverse proxy forwards that token upstream
3. CheckAuth accepts RoleReader
if role := GetGinContextRole(c); IsValidRole(role, []Role{
RoleAdministrator,
RoleEditor,
RoleReader,
}) {
c.Next()
return
}4. The route is exposed with CheckAuth only
ginServer.Handle("POST", "/api/av/removeUnusedAttributeView", model.CheckAuth, removeUnusedAttributeView)There is no CheckAdminRole and no CheckReadonly.
5. The handler forwards attacker-controlled id directly to the delete sink
avID := arg["id"].(string)
model.RemoveUnusedAttributeView(avID)6. The model deletes the AV file unconditionally
func RemoveUnusedAttributeView(id string) {
absPath := filepath.Join(util.DataDir, "storage", "av", id+".json")
if !filelock.IsExist(absPath) {
return
}
...
if err = filelock.RemoveWithoutFatal(absPath); err != nil {
...
return
}
IncSync()
}Crucially, this function does not verify that the supplied AV is actually unused. The name of the function suggests a cleanup helper, but the implementation is really "delete AV file by id if it exists".
Attack Prerequisites
- Publish service enabled
- Attacker can access the publish service
- If publish auth is enabled, attacker has valid publish-reader credentials
- Attacker knows an
avID
Obtaining avID
avID is not secret. It is exposed extensively in frontend markup as data-av-id.
Examples:
- app/src/protyle/render/av/render.ts
- app/src/protyle/render/av/layout.ts
- app/src/protyle/render/av/groups.ts
Any publish-visible database/attribute view can therefore disclose a valid avID to the attacker.
Exploit Path
- Attacker browses published content containing an attribute view.
- Attacker extracts the
data-av-idvalue from the page/DOM. - Attacker sends a POST request to
/api/av/removeUnusedAttributeViewthrough the publish service. - Publish proxy injects a valid
RoleReadertoken. CheckAuthaccepts the request.- The handler passes the attacker-controlled
avIDtomodel.RemoveUnusedAttributeView. - The backend deletes
data/storage/av/<avID>.json.
Proof of Concept
Request:
POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <publish-host>:<publish-port>
Content-Type: application/json
Authorization: Basic <publish-account-creds-if-enabled>
{
"id": "<exposed-data-av-id>"
}Expected result:
- HTTP 200
- backend increments sync state
- the target attribute view file is removed from
data/storage/av/ - published and local workspace behavior for that AV becomes broken until restored from history or recreated
Impact
This gives a low-privileged publish reader a destructive persistent write primitive against workspace data.
Practical consequences include:
- deletion of live attribute view definitions
- corruption/breakage of published database views
- breakage of local workspace rendering and AV-backed relationships
- operational disruption until restore or manual repair
The bug affects integrity and availability, not merely UI state.
Recommended Fix
At minimum:
- Block publish/read-only users from this route.
- Require admin/write authorization.
- Re-validate that the target AV is actually unused before deletion.
Safe router fix:
ginServer.Handle("POST", "/api/av/removeUnusedAttributeView",
model.CheckAuth,
model.CheckAdminRole,
model.CheckReadonly,
removeUnusedAttributeView,
)And inside the model or handler, reject deletion unless the target id is present in UnusedAttributeViews(...).
AnalysisAI
Unauthorized deletion of attribute view definitions in SiYuan note-taking application allows authenticated publish-service readers to permanently destroy arbitrary workspace data. Attackers with low-privilege publish credentials can extract attribute view IDs from published content markup (exposed as data-av-id attributes) and invoke the /api/av/removeUnusedAttributeView endpoint to delete corresponding JSON definition files. The endpoint lacks proper authorization controls, accepting RoleReader tokens despite performing destructive write operations. Successful exploitation corrupts database views, breaks local workspace rendering, and causes operational disruption requiring manual restoration.
Technical ContextAI
Authorization bypass stems from insufficient role validation in route handler. CheckAuth middleware accepts RoleReader role but endpoint performs filesystem deletion via filelock.RemoveWithoutFatal(). No verification that target AV is unused or that caller holds write privileges. Handler directly forwards user-controlled id parameter to RemoveUnusedAttributeView() function which unconditionally deletes data/storage/av/<id>.json when file exists.
RemediationAI
Vendor-released security advisory available at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg. Upstream fix available; released patched version not independently confirmed at time of analysis. Apply router-level authorization controls by adding CheckAdminRole and CheckReadonly middleware to /api/av/removeUnusedAttributeView endpoint. Implement server-side validation in RemoveUnusedAttributeView() to verify target attribute view is genuinely unused before deletion. Until patch deployed, disable publish service or restrict publish access to trusted users only. Monitor data/storage/av/ directory for unexpected file deletions and maintain regular workspace backups for recovery capability.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7m5h-w69j-qggg