DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23850: SiYuan Note LFD: Turning Personal Knowledge into Public Property

#security #cve #cybersecurity

SiYuan Note LFD: Turning Personal Knowledge into Public Property

Vulnerability ID: CVE-2026-23850
CVSS Score: 7.8
Published: 2026-01-21

A critical Local File Disclosure (LFD) and Server-Side Request Forgery (SSRF) vulnerability in SiYuan note-taking software allows authenticated attackers to read sensitive files from the host server by abusing the 'local assets' conversion feature.

TL;DR

SiYuan < 3.5.4 has a feature that downloads remote images referenced in Markdown to the local server for offline storage. It fails to validate the URI scheme, allowing attackers to supply file:// paths or internal IPs. This tricks the server into reading /etc/passwd or internal metadata and saving it as a static asset, which the attacker can then download.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS v4.0: 7.8 (High)
  • CVSS v3.1: 8.8 (High)
  • Impact: Confidentiality Loss (High)
  • Exploit Status: PoC Available

Affected Systems

  • SiYuan Note < 3.5.4 (Windows)
  • SiYuan Note < 3.5.4 (macOS)
  • SiYuan Note < 3.5.4 (Linux / Docker)
  • SiYuan: < 3.5.4 (Fixed in: 3.5.4)

Code Analysis

Commit: b2274ba

Initial fix introducing IsSensitivePath check

+ func IsSensitivePath(path string) bool { ...
Enter fullscreen mode Exit fullscreen mode

Commit: f8f4b51

Refining sensitive path checks

+ if strings.Contains(path, "/etc/shadow") { ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Original issue report detailing the vulnerability
  • Generated PoC: Python script demonstrating authenticated LFD

Mitigation Strategies

  • Upgrade to SiYuan v3.5.4 immediately.
  • Run the application in a strictly isolated container with minimal filesystem permissions.
  • Use a firewall (or network policy) to block the application from initiating outbound connections to internal networks (SSRF mitigation).

Remediation Steps:

  1. Stop the SiYuan service.
  2. Pull the latest docker image: docker pull b3log/siyuan:latest.
  3. Restart the container.
  4. Verify the version in the Settings > About menu.

References

Read the full report for CVE-2026-23850 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)