Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.
Published: 2026-03-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Document Reading
Action: Immediate Patch
AI Analysis

Impact

SiYuan, a personal knowledge management system, contains an API flaw that permits attackers to read any stored document without authorization. The vulnerability lies in how the /api/file/readDir endpoint retrieves document IDs and how /api/block/getChildBlocks then returns the content of each document. Because the system does not enforce proper access controls, an attacker could extract confidential information from any user’s documents. The weakness is classified as CWE-125, reflecting improper bounds checking for reading data.

Affected Systems

This flaw affects SIYUAN products by the vendor siyuan-note, specifically the siyuan application. Versions older than 3.6.2 are vulnerable as they use the flawed API chain. The official CPE mapping indicates cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*. Users deploying any SIYUAN instance before the 3.6.2 release need to verify their version and upgrade if required.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as critical, indicating full compromise of confidentiality. The EPSS score is below 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is remote via the publishing service’s exposed APIs; an unauthenticated attacker could invoke the API endpoints to enumerate and extract all documents. The exploitation path requires no special privileges, making the risk significant for organizations relying on SIYUAN for private knowledge storage.

Generated by OpenCVE AI on March 30, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.2 or later.

Generated by OpenCVE AI on March 30, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-34xj-66v3-6j83 SiYuan has Arbitrary Document Reading within the Publishing Service
History

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.
Title SiYuan has Arbitrary Document Reading within the Publishing Service
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:26:40.149Z

Reserved: 2026-03-23T16:34:59.929Z

Link: CVE-2026-33669

cve-icon Vulnrichment

Updated: 2026-03-27T20:26:36.991Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:29.887

Modified: 2026-03-30T17:03:33.350

Link: CVE-2026-33669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:23Z

Weaknesses