Privilege Escalation in SiYuan Knowledge Management System
CVE-2026-30926

7.1HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 9 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-30926?

SiYuan Note, a personal knowledge management system, has a vulnerable API endpoint that allows low-privilege users (RoleReader) to modify notebook content without the necessary permissions. Prior to version 3.5.10, the /api/block/appendHeadingChildren endpoint only checks for a basic role (model.CheckAuth), enabling authenticated users with read-only permissions to append content to existing documents. This flaw compromises the integrity of notes by allowing unauthorized alterations, presenting a significant security risk for users.

Affected Version(s)

siyuan < 3.5.10

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 7, 2026

CVE-2026-30926 Data

JSON