CVE-2026-32704

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1

Description SiYuan is a personal knowledge management system. The POST /api/template/renderSprig endpoint lacks a proper authorization check (model.CheckAdminRole), allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database. This can lead to the exfiltration of all note content, metadata, and custom attributes. The vulnerable component calls model.RenderGoTemplate, which registers SQL functions that can be executed without role verification. An attacker can leverage this to dump all note content, document hierarchy, tags, custom attributes, block IDs, and timestamps. This is particularly concerning in shared or enterprise environments where lower-privilege accounts should not have access to other users' notes. The vulnerable function is renderSprig. The vulnerable parameter is the template parameter in the POST request to the /api/template/renderSprig endpoint.

Recommendations Upgrade to SiYuan version 3.6.1 or later to resolve this issue.