Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Published: 2026-03-31
Score: 7.5 High
EPSS: 3.4% Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from a broken access control in SiYuan's publish API endpoint /api/bookmark/getBookmark. Because the filter does not enforce the publish password when the request context is nil, an unauthenticated visitor can retrieve bookmarked blocks from documents that are otherwise password‑protected. The result is that sensitive content can be read by anyone who can reach the publish service, leading to a confidentiality breach. The weakness is a classic example of CWE‑863: Missing Authorization.

Affected Systems

The flaw affects the SiYuan personal knowledge‑management application, specifically all releases prior to version 3.6.2. Attackers only need access to the publish service exposed by a SiYuan instance. The issue is tied to the bookmark API, so Siyuan products that offer host‑based publish read‑only mode are impacted.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, and the EPSS value of 7 % suggests a modest but realistic likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits are publicly documented. Exploitation requires network access to the publish endpoint and the presence of at least one bookmark in a protected document; no special authentication is needed, making the attack path straightforward for an attacker with internet exposure to the service.

Generated by OpenCVE AI on April 3, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.2 or later, which removes the authentication bypass in the bookmark API.
  • After upgrading, verify that accessing /api/bookmark/getBookmark no longer returns content from protected documents.
  • If an upgrade is not immediately possible, disable the publish feature or remove bookmarks from protected documents until the fix is applied, and monitor logs for evidence of unauthorized reads.

Generated by OpenCVE AI on April 3, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c77m-r996-jr3q SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Title SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:02.043Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:20.483

Modified: 2026-04-03T16:53:22.330

Link: CVE-2026-34453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:27Z

Weaknesses