CVE-2026-32767

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below

Description SiYuan, a personal knowledge management system, contains an authorization bypass that allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the application's database via the /api/search/fullTextSearchBlock endpoint. This occurs when the method parameter is set to 2, causing the endpoint to pass user-supplied input directly as a raw SQL statement to the underlying SQLite database without proper authorization or read-only checks. The dedicated SQL endpoint, /api/query/sql, correctly enforces authorization, but the search endpoint bypasses these controls. This allows for potential confidentiality, integrity, and availability breaches, including the ability to read sensitive data, modify or delete data, and even drop tables. The query parameter is the vulnerable input. The vulnerable code path involves passing the query string directly to the searchBySQL() function, which then executes the SQL statement using Go's database/sql package.

Recommendations Versions prior to 3.6.1 are affected. Apply version 3.6.1 or later to resolve this issue. As a temporary workaround, restrict access to the /api/search/fullTextSearchBlock endpoint. If upgrading is not immediately possible, add CheckAdminRole and CheckReadonly middleware to the /api/search/fullTextSearchBlock endpoint. Alternatively, implement validation to ensure only SELECT statements are executed when the method parameter is set to 2 and the user is not an administrator.