Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
Published: 2026-03-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass leading to data integrity compromise
Action: Apply Patch
AI Analysis

Impact

A flaw in the publish service allows low‑privilege users with the RoleReader role to append new blocks to existing notebooks through the /api/block/appendHeadingChildren endpoint. The endpoint only verifies a generic authenticated session and does not check for higher privileges such as Admin or Read‑Only. As a result, authenticated users can modify the content of notes, providing a privilege escalation route that undermines the integrity of stored data.

Affected Systems

The vulnerability affects the SiYuan Note application, specifically versions prior to 3.5.10. Users of older releases who have assigned the Publish role with read‑only privileges are at risk.

Risk and Exploitability

The CVSS score is 7.1, indicating a medium severity vulnerability. The EPSS score is below 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated via a publish account and possess the RoleReader role; they can then use the vulnerable API endpoint to inject or modify notebook blocks. Because the exploit requires only low‑privilege credentials, the risk is significant for any user who has been granted publish access.

Generated by OpenCVE AI on April 16, 2026 at 10:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.5.10 or later, which fixes the authorization check on /api/block/appendHeadingChildren
  • Revoke the Publish (RoleReader) privilege from users who should not modify notebooks or disable publishing for these accounts entirely
  • Deploy monitoring of the /api/block/appendHeadingChildren API to alert on unexpected content append operations

Generated by OpenCVE AI on April 16, 2026 at 10:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f9cq-v43p-v523 SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren
History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Mon, 09 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
Title SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:58:53.053Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30926

cve-icon Vulnrichment

Updated: 2026-03-10T14:58:42.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:56.943

Modified: 2026-03-13T17:06:54.933

Link: CVE-2026-30926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses