CVE-2026-30869

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10

Description A path traversal flaw exists in the /export endpoint, allowing an attacker to read arbitrary files from the server filesystem. Exploitation involves using double-encoded traversal sequences to access sensitive files like conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets could grant administrative access to the SiYuan kernel API and, in some cases, potentially lead to remote code execution (RCE). The vulnerable code resides in serve.go (lines 303, 315, 320, 340, 955-957) and session.go (lines 292-295). The vulnerability stems from trusting the output of url.PathUnescape and joining it without ensuring the resulting path remains within the exportBaseDir. The use of double-encoded traversal sequences (%252e%252e) bypasses dot-dot URL rejection, while CheckAuth grants admin access for localhost requests to /export/* when access auth code is set. A global CORS configuration (Access-Control-Allow-Origin: *) allows hostile web pages to read localhost responses. An attacker can send a GET request to /export/%252e%252e/%252e%252e/conf/conf.json to retrieve sensitive information.

Recommendations Versions prior to 3.5.10 should be updated to version 3.5.10 or later.