CVE-2026-32815

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3	Patch
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1	Release Notes
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

History

23 Mar 2026, 18:20

Type	Values Removed	Values Added
References	~~() https://github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3 -~~	() https://github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3 - Patch
References	~~() https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 -~~	() https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 - Release Notes
References	~~() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6 -~~	() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6 - Exploit, Mitigation, Vendor Advisory
First Time		B3log B3log siyuan
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:b3log:siyuan::::::::
Summary		(es) SiYuan es un sistema de gestión de conocimiento personal. En las versiones 3.6.0 e inferiores, el endpoint de WebSocket (/ws) permite conexiones no autenticadas cuando se proporcionan parámetros de URL específicos (?app=siyuan&id=auth&type=auth). Este bypass, destinado a la página de inicio de sesión para mantener el kernel vivo, permite a cualquier cliente externo —incluidos sitios web maliciosos a través de WebSocket de origen cruzado— conectarse y recibir todos los eventos push del servidor en tiempo real. Estos eventos filtran metadatos de documentos sensibles, incluyendo títulos de documentos, nombres de cuadernos, rutas de archivos y todas las operaciones CRUD realizadas por usuarios autenticados. Combinado con la ausencia de validación del encabezado Origin, un sitio web malicioso puede conectarse silenciosamente a la instancia local de SiYuan de una víctima y monitorear su actividad de toma de notas. Este problema ha sido solucionado en la versión 3.6.1.

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 18:20

NVD link : CVE-2026-32815

Mitre link : CVE-2026-32815

CVE.ORG link : CVE-2026-32815

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-287

Improper Authentication

7.5 /10