CVE-2026-34453

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description The publish service in SiYuan allows unauthenticated visitors to access bookmarked blocks from password-protected documents. This occurs because the /api/bookmark/getBookmark endpoint, when operating in publish/read-only mode, calls the FilterBlocksByPublishAccess(nil, ...) function. Passing nil as the context bypasses the password check, allowing access to content from protected documents if at least one block within those documents is bookmarked. The vulnerable code path resides within the kernel/api/bookmark.go file, specifically in the getBookmark function, and the FilterBlocksByPublishAccess function in kernel/model/publish access.go. The issue stems from treating a nil context as authorized, effectively bypassing the intended password enforcement.

Recommendations Versions prior to 3.6.2: Upgrade to version 3.6.2 or later to resolve this issue.