CVE-2026-32815

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier

Description SiYuan, a personal knowledge management system, has a flaw in its WebSocket endpoint ('/ws') that permits unauthenticated connections when specific URL parameters are used ('?app=siyuan&id=auth&type=auth'). This bypass, originally intended for the login page to maintain a live kernel connection, enables any external client, including malicious websites through cross-origin WebSocket connections, to connect and receive all server push events in real-time. These events expose sensitive document metadata, including document titles, notebook names, file paths, and all Create, Read, Update, and Delete (CRUD) operations performed by authenticated users. The absence of Origin header validation allows a malicious website to silently connect to a victim's local SiYuan instance and monitor their note-taking activity. The vulnerable component is located in the file kernel/server/serve.go:728-731 within the serveWebSocket() function and its HandleConnect handler.

Recommendations Versions 3.6.0 and earlier: Upgrade to version 3.6.1 or later to resolve the issue. Versions 3.5.9 and earlier: Upgrade to version 3.6.1 or later to resolve the issue.