Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.1
3.6.0
CVE-2026-32110 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the SiYuan Kernel component of the SiYuan note-taking application. This vulnerability allows attackers to potentially access internal resources and sensitive data by manipulating the /api/network/forwardProxy endpoint. The vulnerability impacts versions of SiYuan Kernel before v3.6.0. A fix is available in version 3.6.0.
The SSRF vulnerability in SiYuan Kernel allows an attacker to craft malicious requests through the /api/network/forwardProxy endpoint. This can lead to unauthorized access to internal services and resources that are not directly exposed to the internet. An attacker could potentially read sensitive data stored within the SiYuan application or even interact with other internal systems. The full-read nature of the SSRF means the attacker isn't limited to specific protocols or ports, significantly expanding the potential attack surface. While no immediate data exfiltration is guaranteed, successful exploitation could provide valuable reconnaissance information for further attacks.
CVE-2026-32110 was publicly disclosed on 2026-03-12. The vulnerability is present in the github.com/siyuan-note/siyuan/kernel Go module. There is no indication of active exploitation or KEV listing as of this writing. Public proof-of-concept code is currently unavailable, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32110 is to upgrade SiYuan Kernel to version 3.6.0 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the SiYuan server using a firewall or proxy. Carefully review and restrict the allowed domains or IP addresses that the /api/network/forwardProxy endpoint can access. Implementing a Web Application Firewall (WAF) with SSRF protection rules can also help to block malicious requests. Monitor application logs for suspicious outbound requests originating from the /api/network/forwardProxy endpoint.
Update SiYuan to version 3.6.0 or later. This version fixes the SSRF vulnerability in the /api/network/forwardProxy endpoint. The update will prevent authenticated users from making arbitrary HTTP requests from the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32110 is a Server-Side Request Forgery (SSRF) vulnerability in the SiYuan Kernel component, allowing attackers to potentially access internal resources via the /api/network/forwardProxy endpoint.
You are affected if you are using SiYuan Kernel versions prior to 3.6.0. Assess your environment to determine if you are running a vulnerable version.
Upgrade SiYuan Kernel to version 3.6.0 or later. As a temporary workaround, restrict outbound network access from the SiYuan server.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the SiYuan project's official security advisories and release notes for details on CVE-2026-32110 and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.