Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.3
0.0.1
CVE-2026-33669 describes an unauthorized document access vulnerability within SiYuan Note. By exploiting the /api/file/readDir and /api/block/getChildBlocks interfaces, an attacker can retrieve document IDs and subsequently view the content of all documents without proper authorization. This issue affects SiYuan Note versions up to and including 0.0.0-20260317012524-fe4523fff2c8. The vulnerability is fixed in version 3.6.2.
CVE-2026-33669 in SiYuan allows an attacker with read access to documents to read the content of all documents within the system. This is achieved by exploiting how the /api/file/readDir API retrieves document IDs and then the /api/block/getChildBlocks API is used to access the content of those documents. The lack of proper validation in the /api/block/getChildBlocks API allows an attacker, once they know a document ID, to access all of its content blocks, revealing sensitive information that may be stored within the documents. The impact is significant, especially in environments where SiYuan is used to store confidential information.
An attacker could exploit this vulnerability if they have read access to documents in SiYuan. This could be through a legitimate user account with read permissions, or through a vulnerability in another component of the system that allows gaining access to the network where SiYuan is running. Once the attacker has access to a document ID, they can use the /api/block/getChildBlocks API to read all the content of the document, including sensitive information such as passwords, personal data, or confidential business information. The ease of exploitation makes this vulnerability particularly concerning.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33669 is to update SiYuan to version 3.6.2 or higher. This version includes a fix that properly validates requests to the /api/block/getChildBlocks API, preventing unauthorized access to document content. Additionally, it is recommended to review document access permissions in SiYuan to ensure that only authorized users have access to sensitive information. Monitoring system logs for suspicious activity related to the /api/file/readDir and /api/block/getChildBlocks APIs can also help detect and respond to potential attacks.
Actualice SiYuan a la versión 3.6.2 o posterior. Esta versión corrige la vulnerabilidad que permite la lectura arbitraria de documentos dentro del servicio de publicación.
Vulnerability analysis and critical alerts directly to your inbox.
SiYuan is an open-source note-taking and knowledge management application.
If an attacker can access the documents, they can read their content, compromising the confidentiality of the stored information.
If updating is not possible immediately, restrict access to SiYuan and monitor system logs for suspicious activity.
It is important to stay up-to-date with the latest security updates for SiYuan and review security alerts for any other known vulnerabilities.
If you are using a version prior to 3.6.2, you are vulnerable. Verify the SiYuan version you are using.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.