Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
Published: 2026-03-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via unauthenticated WebSocket hijacking
Action: Patch
AI Analysis

Impact

The vulnerability permits any client to bypass authentication on the WebSocket endpoint by supplying specific URL parameters. This allows attackers to receive real‑time server push events that contain sensitive metadata such as document titles, notebook names, file paths, and CRUD actions performed by legitimate users, effectively exposing confidential note‑taking activity.

Affected Systems

SiYuan Note, product Siyuan, affected versions 3.6.0 and earlier.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to host a malicious webpage that can open a Cross‑Origin WebSocket to the victim’s local SiYuan instance, leveraging the absence of Origin header validation to silently harvest data.

Generated by OpenCVE AI on March 23, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiYuan version 3.6.1 or later

Generated by OpenCVE AI on March 23, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp2m-98x8-rpj6 SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
History

Mon, 23 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 19 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
Title SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:22:46.364Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32815

cve-icon Vulnrichment

Updated: 2026-03-20T20:22:37.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:42.167

Modified: 2026-03-23T18:20:00.913

Link: CVE-2026-32815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:40Z

Weaknesses