Unauthenticated WebSocket Vulnerability in SiYuan Knowledge Management System
CVE-2026-32815

5.3MEDIUM

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32815?

SiYuan, a personal knowledge management system, allows unauthenticated connections through its WebSocket endpoint in versions 3.6.0 and lower. When certain URL parameters are used, this vulnerability enables any external client, including malicious sites leveraging cross-origin WebSocket technology, to connect and receive real-time server push events. These events can expose sensitive document metadata, such as titles and paths, as well as all CRUD operations performed by authenticated users. The absence of Origin header validation compounds this issue, allowing attackers to monitor a victim's activities within SiYuan. This vulnerability has been addressed in version 3.6.1.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/commit/1e370e373597...
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.