{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32767", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-03-20T00:13:31.384Z", "dateUpdated": "2026-03-20T14:42:49.764Z"}, "containers": {"cna": {"title": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}, {"name": "https://github.com/siyuan-note/siyuan/issues/17209", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/issues/17209"}, {"name": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:13:31.384Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}], "source": {"advisory": "GHSA-j7wh-x834-p3r7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:42:43.938307Z", "id": "CVE-2026-32767", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:49.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32767", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:42:43.938307Z"}}}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:29.289Z"}}], "cna": {"title": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API", "source": {"advisory": "GHSA-j7wh-x834-p3r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.6.1"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siyuan-note/siyuan/issues/17209", "name": "https://github.com/siyuan-note/siyuan/issues/17209", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "name": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:13:31.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32767", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:42:49.764Z", "dateReserved": "2026-03-13T18:53:03.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T00:13:31.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780", "versionEndExcluding": "3.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n en el endpoint /api/search/fullTextSearchBlock. Cuando el par\u00e1metro method se establece en 2, el endpoint pasa la entrada proporcionada por el usuario directamente como una sentencia SQL sin procesar a la base de datos SQLite subyacente sin ninguna autorizaci\u00f3n ni comprobaci\u00f3n de solo lectura. Esto permite a cualquier usuario autenticado \u2014 incluidos aquellos con el rol de Lector \u2014 ejecutar sentencias SQL arbitrarias (SELECT, DELETE, UPDATE, DROP TABLE, etc.) contra la base de datos de la aplicaci\u00f3n. Esto es inconsistente con el propio modelo de seguridad de la aplicaci\u00f3n: el endpoint SQL dedicado (/api/query/sql) requiere correctamente el middleware CheckAdminRole y CheckReadonly, pero el endpoint de b\u00fasqueda omite estos controles por completo. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."}], "id": "CVE-2026-32767", "lastModified": "2026-03-23T15:23:44.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:55.597", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/siyuan-note/siyuan/issues/17209"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-03-23T16:30:09.556696+00:00", "value": {"mitigation_remediation": ["Upgrade SiYuan to version 3.6.1 or newer", "Re\u2011verify that the vulnerability is mitigated after upgrading", "Regularly check the vendor\u2019s website or release notes for new security patches or advisories"], "summary": {"action": "Patch immediately", "impact": "SQL Injection Exploit"}, "threat_synthesis": {"affected_systems": "Affected product: SiYuan by Siyuan\u2011Note. Vulnerable versions are 3.6.0 and all earlier releases. The issue was fixed in version 3.6.1, so any deployment using 3.6.0 or older is susceptible.", "description_and_impact": "SiYuan is a personal knowledge management system that, in versions 3.6.0 and earlier, contains an authorization bypass in the \u201c/api/search/fullTextSearchBlock\u201d endpoint. When the method parameter is set to 2, the API forwards the user-supplied input to SQLite as a raw SQL statement without applying any additional authentication or read\u2011only checks. This bypass allows any authenticated user\u2014including those with the Reader role\u2014to execute arbitrary SQL commands such as SELECT, DELETE, UPDATE, and DROP TABLE against the application database. The vulnerability is a clear example of improper authorization and unsafe SQL execution, corresponding to CWE\u2011863 and CWE\u201189.", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is below 1% and it is not listed in the CISA KEV catalog, indicating that public exploitation is currently unlikely but the severity remains high. An attacker who can authenticate to the system (even with a low-privilege Reader account) can send a crafted request to the search endpoint to run arbitrary SQL statements, which could lead to data loss, integrity compromise, or denial of service. The attack vector is network based, requiring that the attacker has network access to the API and a valid authenticated session."}}}}, "created": "2026-03-20T08:54:10.810818+00:00", "updated": "2026-03-25T14:10:12.050064+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}