Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.
Published: 2026-06-24
Score: 7.5 High
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan allows unauthenticated remote users to retrieve arbitrary files on the server through double‑URL‑encoded traversal sequences sent to the /assets/*path endpoint when the application is running in publish mode (the anonymous read‑only HTTP endpoint, default port 6808). The flaw is the same root cause that was addressed in the earlier CVE‑2026‑41894 by sanitising the /export/ route, but the /assets/*path route remains vulnerable. By sending double‑URL‑encoded '..' segments, an attacker can read sensitive files inside the WorkspaceDir, including conf/conf.json (which holds the AccessAuthCode SHA‑256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log. This results in a significant loss of confidentiality for anyone exposed to the publish endpoint (CWE‑22, CWE‑23, CWE‑1188).

Affected Systems

The issue affects all releases of the siyuan-note:siyuan product prior to version 3.7.0. Any deployment of SiYuan running in publish mode before the release of 3.7.0 is susceptible; versions 3.7.0 and later contain the fix.

Risk and Exploitability

The CVSS base score of 7.5 indicates medium‑high severity, reflecting that the vulnerability is exploitable without authentication and can lead to disclosure of secrets. The EPSS score is 2%, indicating a low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs network access to the publish port 6808 to enumerate and read arbitrary files; there are no preconditions beyond the publish mode being enabled, making the attack vector likely from externally reachable hosts or internal network scanners. The impact is confined to confidentiality loss and potential post‑exploitation capabilities for an attacker who can read sensitive files.

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading SiYuan to version 3.7.0 or later.
  • If upgrading is not immediately possible, disable publish mode to eliminate the unauthenticated file‑retrieval path.
  • Restrict network access to the publish port (default 6808) using firewall rules or container network policies to limit exposure to trusted hosts.

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p4m3-mgmm-c664 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db, temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments. This vulnerability is fixed in 3.7.0.
Title SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)
Weaknesses CWE-1188
CWE-22
CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:33:20.102Z

Reserved: 2026-06-11T18:24:35.097Z

Link: CVE-2026-54066

cve-icon Vulnrichment

Updated: 2026-06-25T12:33:04.885Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-23

    Relative Path Traversal