Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
Published: 2026-06-24
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan is an open‑source personal knowledge management system. Prior to 3.7.0, its kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension—including a compromised legitimate extension via supply chain attack—can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

Affected Systems

The vulnerability affects all installations of SiYuan Note older than version 3.7.0. Desktop deployments run with the default empty AccessAuthCode, increasing the risk because no additional authentication barrier exists.

Risk and Exploitability

With a CVSS score of 9.2 the flaw is considered critical. The EPSS score is not available, and the vulnerability is not yet listed in CISA’s KEV catalog. Attackers can exploit the flaw via any installed extension that can access the localhost endpoint, likely from a supply‑chain compromised or malicious extension. The attack is straightforward given the lack of origin validation and the absence of authentication for administrative calls.

Generated by OpenCVE AI on June 25, 2026 at 00:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SiYuan package (v3.7.0 or newer) as it removes the unconditional origin trust and enforces proper authentication.
  • If upgrading immediately is not possible, set a non‑empty AccessAuthCode in the SiYuan configuration to add an extra authentication step for administrative API calls.
  • Restrict the browser’s access to the localhost host by configuring extensions to disallow navigation to 127.0.0.1 or by using a firewall rule that blocks or limits traffic from extensions to that address.

Generated by OpenCVE AI on June 25, 2026 at 00:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hvr9-72v2-fff3 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
Title SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:55:20.853Z

Reserved: 2026-06-11T18:24:35.097Z

Link: CVE-2026-54069

cve-icon Vulnrichment

Updated: 2026-06-25T13:54:29.973Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses