Plattform
go
Komponente
github.com/siyuan-note/siyuan/kernel
Behoben in
3.5.5
0.0.0-20260118092326-b2274baba2e1
CVE-2026-23850 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the SiYuan Kernel, the core component of the SiYuan note-taking application. This flaw allows attackers to potentially read arbitrary files on the server, leading to data exposure and potential privilege escalation. The vulnerability affects versions of SiYuan Kernel prior to 0.0.0-20260118092326-b2274baba2e1. A patch has been released to address this issue.
The SSRF vulnerability in SiYuan Kernel allows an attacker to craft malicious requests that the server will execute, effectively acting as a proxy for the attacker. This can be exploited to read files that the server process has access to, including configuration files, database credentials, or other sensitive data. Successful exploitation could lead to the exposure of internal system information, enabling further attacks. While direct remote code execution is unlikely, the ability to read arbitrary files significantly expands the attack surface and could be a stepping stone for more sophisticated attacks. The potential blast radius depends on the server's configuration and the permissions of the SiYuan Kernel process.
CVE-2026-23850 was publicly disclosed on 2026-02-03. There is no indication of this vulnerability being actively exploited at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF vulnerability type is commonly exploited, so vigilance is advised.
Organizations and individuals using SiYuan for note-taking and knowledge management are at risk, particularly those running self-hosted instances or deployments where the SiYuan Kernel is exposed to external networks. Shared hosting environments where multiple users share the same SiYuan instance are also at increased risk.
• go / server: Examine application logs for unusual outbound HTTP requests, particularly those originating from internal IP addresses or using unusual protocols. Use netstat or ss to monitor connections and identify suspicious activity.
ss -t tcp -4 -n | grep <internal_ip_address>• generic web: Monitor access logs for requests to internal resources or unusual file paths. Check response headers for signs of SSRF exploitation.
grep "/internal/path" /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-23850 is to immediately upgrade SiYuan Kernel to version 0.0.0-20260118092326-b2274baba2e1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access for the SiYuan Kernel process using a firewall or network segmentation. Review and harden the server's configuration to minimize the potential impact of file reads. Monitor access logs for unusual outbound requests originating from the SiYuan Kernel process. After upgrading, confirm the fix by attempting a controlled SSRF request to a non-sensitive internal resource and verifying that it is denied.
Actualice SiYuan a la versión 3.5.4 o posterior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos (LFD) causada por el renderizado HTML del lado del servidor sin restricciones en la función markdown. La actualización previene el acceso no autorizado a archivos sensibles en el sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23850 is a Server-Side Request Forgery (SSRF) vulnerability in the SiYuan Kernel, allowing attackers to potentially read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using SiYuan Kernel versions prior to 0.0.0-20260118092326-b2274baba2e1. Upgrade to the patched version to mitigate the risk.
Upgrade SiYuan Kernel to version 0.0.0-20260118092326-b2274baba2e1 or later. Implement input validation and consider using a WAF as temporary protection.
There is currently no indication of active exploitation campaigns, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the official SiYuan project website or GitHub repository for the latest security advisories and updates related to CVE-2026-23850.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.