Exposure of Protected Document Content in SiYuan by SiYuan Technology
CVE-2026-34453

7.5HIGH

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34453?

The SiYuan personal knowledge management system prior to version 3.6.2 contains a vulnerability in its publish service, which inadvertently exposes bookmarked blocks from password-protected documents to unauthenticated users. This occurs because the filtering mechanism within the /api/bookmark/getBookmark endpoint erroneously grants access to the bookmarks without enforcing the necessary password verification, treating a nil context as authorized. As a result, any user with access to the publish service can retrieve sensitive content from protected documents that have at least one bookmarked block, bypassing any authentication barriers. The issue was resolved in version 3.6.2, and users are advised to upgrade immediately to mitigate the exposure.

Affected Version(s)

siyuan < 3.6.2

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/issues/17246
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.