Session Hijacking Vulnerability in SiYuan Note Application
CVE-2025-68948

6.9MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 27 December 2025

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2025-68948?

The SiYuan Note application, a self-hosted and open source personal knowledge management tool, has a vulnerability in its session management. In versions 3.5.1 and earlier, the application employs a hardcoded cryptographic secret for its session store, compromising the effectiveness of session encryption. Sensitive information, specifically the AccessAuthCode, is stored within the session cookie. If an attacker intercepts or acquires a user's encrypted session cookie, they can exploit this vulnerability to decrypt the cookie locally using a public key. This gives the attacker access to the AccessAuthCode in plain text, potentially enabling them to hijack or take over the session.

Affected Version(s)

siyuan <= 3.5.1

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Dec 26, 2025

JSON