DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F72R-2H5J-7639: Case-Sensitive Chaos: Bypassing SiYuan Note's Security with a Capital Letter

#security #cve #cybersecurity #ghsa

Case-Sensitive Chaos: Bypassing SiYuan Note's Security with a Capital Letter

Vulnerability ID: GHSA-F72R-2H5J-7639
CVSS Score: 7.5
Published: 2026-01-28

SiYuan Note, a privacy-first personal knowledge management tool, suffered from a classic disconnect between rigid programming logic and lax filesystem standards. By failing to account for case-insensitivity on Windows (NTFS) and macOS (APFS), the kernel allowed attackers to bypass a blacklist designed to protect critical configuration files. A simple change from 'conf.json' to 'Conf.json' was all it took to exfiltrate sensitive secrets.

TL;DR

Developers utilized case-sensitive string comparisons in Go to protect 'conf.json'. On Windows/macOS, 'Conf.json' is the same file but a different string. Attackers can bypass the blacklist and read the configuration file containing secrets.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-178 (Case Sensitivity)
  • Attack Vector: Network (API)
  • CVSS (Est.): 7.5 (High)
  • Platform: Windows / macOS
  • Impact: Sensitive Data Exposure
  • Fix Status: Patched (Commit 1f02650b)

Affected Systems

  • Windows (NTFS file system)
  • macOS (APFS case-insensitive)
  • SiYuan Note Kernel (prior to commit 1f02650b)
  • SiYuan Note: < Commit 1f02650b (Fixed in: Commit 1f02650b3892d2ea3896242dd2422c30bda55e11)

Code Analysis

Commit: 1f02650

Fix case sensitivity security bypass in file API

func refuseToAccess(...) {
+ if filepath.Join(util.ConfDir, "conf.json") == fileAbsPath { return true }
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update SiYuan Note to the latest version (post-Jan 2026 fix).
  • Run SiYuan behind a reverse proxy (Nginx) with strict path filtering.
  • Avoid running the application with high privileges on Windows.
  • Disable the 'Publish' feature if not strictly necessary.

Remediation Steps:

  1. Pull the latest Docker image or binary.
  2. Verify the version includes commit 1f02650b3892d2ea3896242dd2422c30bda55e11.
  3. Restart the kernel service.
  4. Rotate any credentials (S3 keys, WebDAV passwords) that may have been stored in conf.json if the instance was exposed.

References

Read the full report for GHSA-F72R-2H5J-7639 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)