Description
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Published: 2026-03-06
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Database Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows any authenticated user, including those with reader-level permissions, to execute arbitrary SQL statements against the SiYuan database via the /api/query/sql endpoint. Because the endpoint checks only for basic authentication and does not verify admin status, users can read or modify all data stored in the database. This can lead to data theft, corruption, or unauthorized configuration changes, thereby compromising confidentiality, integrity, and potentially availability. The problem is rooted in missing permission checks (CWE-862) and is exploitable as a SQL injection (CWE-89).

Affected Systems

SiYuan, a personal knowledge‑management system, is affected. The issue exists in all releases prior to version 3.6.0. Any installation of Siyuan before that version that retains the vulnerable /api/query/sql endpoint is susceptible.

Risk and Exploitability

The CVSS score is 5.7, indicating a medium severity. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the exposed HTTP API; any authenticated user can invoke the endpoint remotely, bypassing role checks. Because the flaw permits arbitrary SQL execution, an attacker can gain unauthorized access to all database contents. Remediation with the latest patch eliminates the risk.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.0 or later to apply the vendor‑provided fix.
  • If upgrading is not immediately possible, restrict external access to the /api/query/sql endpoint by configuring network or application firewalls to allow only trusted internal hosts.
  • Monitor authentication logs and database activity for suspicious queries, and consider disabling the endpoint if your deployment does not require direct SQL execution.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jqwg-75qf-vmf9 SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
History

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
Title SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access
Weaknesses CWE-862
CWE-89
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:03:19.344Z

Reserved: 2026-03-03T20:51:43.482Z

Link: CVE-2026-29073

cve-icon Vulnrichment

Updated: 2026-03-09T20:03:14.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T08:16:26.763

Modified: 2026-03-10T19:04:03.527

Link: CVE-2026-29073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses