File Read Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-32747

6.8MEDIUM

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32747?

The SiYuan Personal Knowledge Management System has a vulnerability in its globalCopyFiles API, which improperly handles file paths without adequate workspace boundary checks. This flaw allows an admin to access sensitive files, including Docker secrets and environment variables, which can be exfiltrated into the workspace. Such issues predominantly arise in containerized environments, where injected secrets may become accessible through the standard file API. The vulnerability has been addressed in version 3.6.1, emphasizing the need for immediate updates to mitigate potential risks.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5...
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.