Impact
SiYuan is an open‑source personal knowledge management system. Prior to 3.7.0, its kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension—including a compromised legitimate extension via supply chain attack—can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
Affected Systems
The vulnerability affects all installations of SiYuan Note older than version 3.7.0. Desktop deployments run with the default empty AccessAuthCode, increasing the risk because no additional authentication barrier exists.
Risk and Exploitability
With a CVSS score of 9.2 the flaw is considered critical. The EPSS score is not available, and the vulnerability is not yet listed in CISA’s KEV catalog. Attackers can exploit the flaw via any installed extension that can access the localhost endpoint, likely from a supply‑chain compromised or malicious extension. The attack is straightforward given the lack of origin validation and the absence of authentication for administrative calls.
OpenCVE Enrichment
Github GHSA