Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
Published: 2026-03-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection Exploit
Action: Patch immediately
AI Analysis

Impact

SiYuan is a personal knowledge management system that, in versions 3.6.0 and earlier, contains an authorization bypass in the “/api/search/fullTextSearchBlock” endpoint. When the method parameter is set to 2, the API forwards the user-supplied input to SQLite as a raw SQL statement without applying any additional authentication or read‑only checks. This bypass allows any authenticated user—including those with the Reader role—to execute arbitrary SQL commands such as SELECT, DELETE, UPDATE, and DROP TABLE against the application database. The vulnerability is a clear example of improper authorization and unsafe SQL execution, corresponding to CWE‑863 and CWE‑89.

Affected Systems

Affected product: SiYuan by Siyuan‑Note. Vulnerable versions are 3.6.0 and all earlier releases. The issue was fixed in version 3.6.1, so any deployment using 3.6.0 or older is susceptible.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is below 1% and it is not listed in the CISA KEV catalog, indicating that public exploitation is currently unlikely but the severity remains high. An attacker who can authenticate to the system (even with a low-privilege Reader account) can send a crafted request to the search endpoint to run arbitrary SQL statements, which could lead to data loss, integrity compromise, or denial of service. The attack vector is network based, requiring that the attacker has network access to the API and a valid authenticated session.

Generated by OpenCVE AI on March 23, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.1 or newer
  • Re‑verify that the vulnerability is mitigated after upgrading
  • Regularly check the vendor’s website or release notes for new security patches or advisories

Generated by OpenCVE AI on March 23, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j7wh-x834-p3r7 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
History

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Fri, 20 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
Title SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Weaknesses CWE-863
CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T14:42:49.764Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32767

cve-icon Vulnrichment

Updated: 2026-03-20T14:42:29.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T01:15:55.597

Modified: 2026-03-23T15:23:44.380

Link: CVE-2026-32767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:12Z

Weaknesses