Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to open a WebSocket connection to the SiYuan kernel server when a specific 'auth keepalive' query parameter is supplied. Within an established connection, the server parses incoming JSON messages using unchecked type assertions. A crafted malformed message can trigger a runtime panic, causing the kernel process to crash and the service to become unavailable. The weakness is represented by CWE‑248 (Unchecked Return Value) and CWE‑306 (Missing Authentication for Critical Function). This results in a denial of service that can affect all users of the affected instance but does not provide the attacker with escalation or data exfiltration capabilities.

Affected Systems

SiYuan, the personal knowledge management system, is affected. All versions of the SiYuan kernel WebSocket server released prior to 3.6.2 are vulnerable. The issue was addressed in version 3.6.2 by removing unauthenticated WebSocket access and validating message types.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of automated exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by establishing a WebSocket connection with the keepalive parameter, then sending crafted JSON payloads to induce a panic. The risk is particularly relevant for publicly exposed SiYuan servers that have not applied the patch, as the DoS can disrupt service availability for all users.

Generated by OpenCVE AI on March 23, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SiYuan to version 3.6.2 or later to eliminate the unauthenticated WebSocket access and input validation flaw.
  • If an upgrade is not immediately possible, restrict or block WebSocket connections that include the 'auth keepalive' query parameter using firewall or application layer controls.
  • Verify that no other authentication bypasses exist on the WebSocket endpoint and confirm that proper type checking is enforced for all JSON inputs.
  • Monitor system logs for panic messages or repeated crashes and implement automatic restart routines to maintain service availability.

Generated by OpenCVE AI on March 23, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g9h-9hp4-654v SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
History

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Title SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
Weaknesses CWE-248
CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T16:46:04.215Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33203

cve-icon Vulnrichment

Updated: 2026-03-23T16:45:55.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:45.520

Modified: 2026-03-23T18:48:43.490

Link: CVE-2026-33203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:18Z

Weaknesses