Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.
Published: 2026-01-19
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

A logic flaw in SiYuan’s file copy API lets an authenticated user copy any file on the server into the application’s workspace. The code checks only for the existence of the source file and does not impose directory restrictions, allowing the attacker to expose sensitive files such as configuration, credentials, or logs. This grants confidentiality compromise for information present on the host filesystem.

Affected Systems

SiYuan personal knowledge management system versions earlier than 3.5.4 are vulnerable. The issue resides in the /api/file/globalCopyFiles endpoint in the api/file.go source code.

Risk and Exploitability

The CVSS base score of 8.3 indicates high severity. The EPSS score is less than 1 %, meaning real‑world exploitation is considered unlikely but still possible, especially in environments with automated scripts. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is through a legitimate API call that an authenticated user can invoke. Proper path validation would have prevented the issue, but because it is missing, an attacker with an authenticated session can read arbitrary files.

Generated by OpenCVE AI on April 18, 2026 at 05:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiYuan 3.5.4 or later to receive the fixed file‑copy logic.
  • If an upgrade is delayed, remove or protect the /api/file/globalCopyFiles endpoint from user access, for example by applying role‑based access control or firewall rules.
  • Restrict the filesystem permissions of the directories that the application can read so that only legitimate workspace files are accessible.
  • Monitor API logs for unexpected use of file copy operations and review user activity for potential data exfiltration attempts.

Generated by OpenCVE AI on April 18, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-94c7-g2fj-7682 SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality
History

Fri, 30 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Mon, 19 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.
Title SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:05:11.018Z

Reserved: 2026-01-16T15:46:40.843Z

Link: CVE-2026-23851

cve-icon Vulnrichment

Updated: 2026-01-20T19:37:07.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T20:15:49.670

Modified: 2026-01-30T15:12:24.700

Link: CVE-2026-23851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses