SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

The impact of this SQL Injection vulnerability is severe. An authenticated attacker, even with a limited 'Reader' role, can execute arbitrary SQL commands against the SiYuan Note database. This includes SELECT statements to extract sensitive data like user credentials, notes, and attachments. More concerningly, attackers can use DELETE, UPDATE, and DROP TABLE commands to modify or completely destroy data, leading to data loss and service disruption. The ability to execute arbitrary SQL also opens the door to potential privilege escalation and even remote code execution, depending on the database configuration and underlying operating system. This vulnerability shares similarities with other SQL Injection flaws where database access is gained through manipulated input, potentially allowing attackers to gain full control of the application’s data and functionality.

Organizations and individuals using SiYuan Note, particularly those with sensitive data stored within the application, are at risk. Shared hosting environments where multiple users share a single SiYuan Note instance are especially vulnerable, as a compromised user account could potentially impact the entire environment. Users relying on legacy configurations or outdated versions of SiYuan Note are also at increased risk.

• linux / server: Monitor SiYuan Note application logs for unusual SQL queries, particularly those involving the /api/search/fullTextSearchBlock endpoint. Use journalctl -u siyuan to filter for relevant log entries.

journalctl -u siyuan | grep '/api/search/fullTextSearchBlock'

• database (mysql, redis, mongodb, postgresql): If SiYuan Note uses a database accessible from the server, monitor for suspicious SQL queries. For example, using mysql:

mysql -u <user> -p -e "SHOW PROCESSLIST;"

• generic web: Monitor web server access logs for requests to /api/search/fullTextSearchBlock with unusual parameters. Use grep to search for suspicious patterns.

grep '/api/search/fullTextSearchBlock' /var/log/apache2/access.log

1. 2026-03-13Discovery

   discovery

2. 2026-03-16Disclosure

   disclosure

1. Reserviert2026-03-13
2. Veröffentlicht2026-03-16
3. Geändert2026-03-30
4. EPSS aktualisiert2026-03-27

The primary mitigation for CVE-2026-32767 is to immediately upgrade SiYuan Note to version 3.6.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on the /api/search/fullTextSearchBlock endpoint are crucial. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Specifically, WAF rules should be configured to inspect the method parameter for suspicious SQL syntax. Carefully review and restrict database user permissions to minimize the potential damage from a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection payload through the /api/search/fullTextSearchBlock endpoint and verifying that the request is properly rejected.