The vulnerability exists due to a missing admin check in the POST /api/template/renderSprig endpoint. Key detail from vendor description: "Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes." These permissions enable an attacker with any authenticated account to read or potentially modify all data, resulting in a confidentiality and integrity breach. The weakness is identified as authentication bypass (CWE‑285) and improper privilege management (CWE‑732).

All SiYuan products from the vendor siyuan-note:siyuan running versions earlier than 3.6.1 are affected. The issue is fixed in version 3.6.1. No additional sub‑version details are provided in the data.

The CVSS score is 6.5, indicating moderate severity. The EPSS score is less than 1%, suggesting low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is an authenticated remote request to the vulnerable endpoint. Because any authenticated user can exploit the flaw, the potential impact scope spans the entire workspace of the compromised user. The referenced advisory (https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4j3x-hhg2-fm2x) confirms the public disclosure of this vulnerability.