CVE-2026-29073

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.0

Description The /api/query/sql endpoint allows users to execute SQL queries directly on the database. However, it only verifies basic authentication and does not check for administrative privileges. This allows any logged-in user, including those with read-only access, to run arbitrary SQL queries. The vulnerable code resides in kernel/api/sql.go within the SQL function, which executes the provided SQL statement without proper restrictions. The route is protected only by CheckAuth middleware in kernel/api/router.go. An attacker can leverage this to potentially extract sensitive data, including notes belonging to other users, or cause performance issues through malicious SQL queries. The stmt parameter within the JSON payload is the vulnerable input.

Recommendations Versions prior to 3.6.0 should be updated to version 3.6.0 or later.