CVE-2026-30926

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10

Description A privilege escalation issue exists in the publish service of SiYuan Note. A low-privilege publish account (RoleReader) can modify notebook content through the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but does not enforce stricter checks like CheckAdminRole or CheckReadonly. This allows a publish user with read-only privileges to append new blocks to existing documents, potentially compromising the integrity of stored notes. The vulnerability stems from insufficient role-based authorization checks on write operations, which are only protected by CheckAuth. The vulnerable code is located in router.go, api/block.go, model/block.go, and model/session.go. The /api/block/appendHeadingChildren API endpoint is central to the issue. The id and childrenDOM are the vulnerable parameters used in the request.

Recommendations Update SiYuan to version 3.5.10 or later.