CVE-2026-25539 Overview
CVE-2026-25539 is a critical Path Traversal vulnerability in SiYuan, a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files.
Critical Impact
Authenticated attackers can achieve Remote Code Execution by exploiting unvalidated file copy operations to overwrite critical system files, potentially leading to complete system compromise.
Affected Products
- SiYuan versions prior to 3.5.5
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-25539 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25539
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal). The flaw exists in the /api/file/copyFile API endpoint, which accepts a dest parameter specifying the destination path for file copy operations. Prior to the patch, this parameter was used directly without any validation to ensure the destination path remained within expected boundaries.
An authenticated attacker can exploit this vulnerability by supplying a malicious dest parameter containing path traversal sequences or absolute paths pointing to sensitive system locations. This allows arbitrary file writes to directories such as /etc/cron.d/, /root/.ssh/authorized_keys, or shell configuration files, ultimately enabling Remote Code Execution.
Root Cause
The root cause is insufficient input validation on the dest parameter in the file copy API. The application failed to implement path canonicalization or restrict destination paths to a safe directory, allowing authenticated users to write files anywhere on the filesystem where the application has write permissions.
Attack Vector
The attack is network-based and requires authentication. An attacker with valid credentials can send a crafted API request to the /api/file/copyFile endpoint with a malicious destination path. By targeting system files that are automatically executed (such as cron jobs or SSH configuration files), the attacker can achieve persistent Remote Code Execution on the host system.
The security patch introduces validation using util.IsSensitivePath() to check if the destination path targets sensitive system locations:
}
dest := arg["dest"].(string)
+ if util.IsSensitivePath(dest) {
+ msg := fmt.Sprintf("refuse to copy sensitive file [%s]", dest)
+ logging.LogErrorf(msg)
+ ret.Code = -2
+ ret.Msg = msg
+ return
+ }
+
if err = filelock.Copy(src, dest); err != nil {
logging.LogErrorf("copy file [%s] to [%s] failed: %s", src, dest, err)
ret.Code = -1
Source: GitHub Commit
The patch also expands the list of protected sensitive paths:
"/etc/ssh",
"/root",
"/etc/ssl",
+ "/etc/cron.d/",
"/etc/letsencrypt",
"/var/lib/docker",
"/.gnupg",
Source: GitHub Commit
Detection Methods for CVE-2026-25539
Indicators of Compromise
- Unexpected files appearing in sensitive system directories such as /etc/cron.d/, /root/.ssh/, or /etc/profile.d/
- API access logs showing requests to /api/file/copyFile with suspicious destination paths containing .. sequences or absolute paths to system directories
- New or modified cron jobs, SSH authorized_keys entries, or shell configuration files that were not created by administrators
Detection Strategies
- Monitor web server and application logs for requests to /api/file/copyFile with destination parameters targeting paths outside the application's data directory
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications
- Review SiYuan application logs for error messages related to file copy operations with unexpected paths
Monitoring Recommendations
- Configure alerts for any file write operations to sensitive paths like /etc/, /root/, and user home directories
- Monitor for new cron job creation or modification events on systems running SiYuan
- Implement network-level monitoring to detect anomalous API traffic patterns to the SiYuan application
How to Mitigate CVE-2026-25539
Immediate Actions Required
- Upgrade SiYuan to version 3.5.5 or later immediately
- Audit system logs for any suspicious file copy operations that may have exploited this vulnerability prior to patching
- Review sensitive system directories for unauthorized file modifications and remediate any compromises discovered
- Implement network segmentation to limit access to the SiYuan application from untrusted networks
Patch Information
This vulnerability has been patched in SiYuan version 3.5.5. The fix implements validation of the dest parameter using the util.IsSensitivePath() function, which checks destination paths against a list of protected sensitive locations and rejects copy operations targeting these paths. For detailed patch information, see the GitHub Security Advisory and the security commit.
Workarounds
- Restrict network access to the SiYuan application using firewall rules to allow only trusted IP addresses
- Run the SiYuan application with minimal filesystem permissions, limiting write access to only necessary directories
- Deploy SiYuan in a containerized environment with restricted filesystem mounts to prevent writes to host system paths
- Implement a Web Application Firewall (WAF) to filter requests containing path traversal patterns targeting the file copy API
# Example: Restrict SiYuan network access with iptables
# Allow access only from trusted network (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 6806 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6806 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
