SiYuan's Sticky Fingers: When 'Copy File' Becomes 'Steal Everything'
Vulnerability ID: CVE-2026-23851
CVSS Score: 8.3
Published: 2026-01-21
A critical logic flaw in SiYuan Note's file handling allows authenticated users to read arbitrary files from the underlying server filesystem. By abusing the 'globalCopyFiles' API, attackers can pull system secrets like SSH keys and password hashes directly into their workspace.
TL;DR
SiYuan Note's API endpoint for copying files failed to validate source paths. An attacker could request the server to copy /etc/passwd or C:\Windows\win.ini into a public asset directory, effectively turning a file management feature into a full system read primitive. The fix involves a blacklist, which... well, we'll get to that.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-22 (Path Traversal)
- CVSS v4.0: 8.3 (High)
- Attack Vector: Network (Authenticated)
- Impact: High (Confidentiality)
- Patch Status: Fixed in v3.5.4 (Blacklist implementation)
- EPSS Score: 0.04% (Low immediate mass-exploit risk)
Affected Systems
- SiYuan Note (Self-hosted)
- SiYuan Note (Desktop)
- Docker deployments of SiYuan
-
SiYuan: < 3.5.4 (Fixed in:
3.5.4)
Code Analysis
Commit: b2274ba
Initial implementation of sensitive path check
+ if util.IsSensitivePath(absSrc) { return }
Commit: f8f4b51
Refining the blacklist logic
+ var sensitiveFileNames = []string{"passwd", "shadow", ...}
Exploit Details
- Internal Research: The logic vulnerability is intrinsic to the API design in versions < 3.5.4.
Mitigation Strategies
- Input Validation (Whitelist approach preferred over Blacklist)
- Principle of Least Privilege (Run as non-root)
- Container Isolation
Remediation Steps:
- Upgrade SiYuan to version 3.5.4 or higher immediately.
- Verify that the application is running with restricted file system permissions.
- Monitor logs for 'refuse to copy sensitive file' entries.
References
Read the full report for CVE-2026-23851 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)