CVE-2026-25992 Overview
CVE-2026-25992 is a path traversal vulnerability in SiYuan, a personal knowledge management system. Prior to version 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass these restrictions using mixed-case paths to read protected configuration files, potentially exposing sensitive information.
Critical Impact
Attackers can bypass file access restrictions on Windows systems to read protected configuration files containing sensitive data.
Affected Products
- SiYuan versions prior to 3.5.5
- Windows installations (case-insensitive file systems)
- Other case-insensitive file system deployments
Discovery Timeline
- 2026-02-10 - CVE-2026-25992 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25992
Vulnerability Analysis
This vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) exists in the file access control mechanism of SiYuan's API. The /api/file/getFile endpoint implements path restrictions using case-sensitive string comparisons to prevent access to sensitive files. However, this approach fails to account for the case-insensitive nature of Windows file systems (NTFS, FAT32) and other similar file systems.
When a user requests a file through the API, the application checks the requested path against a list of protected files using exact string matching. On Windows, the file system treats CONFIG.json and config.json as identical files, but the application's case-sensitive check only blocks the exact case variant specified in the protection list.
Root Cause
The root cause is the mismatch between the application's case-sensitive path validation logic and the underlying file system's case-insensitive behavior. The security check assumes that protected/config.json is different from Protected/CONFIG.JSON, but on Windows, both paths resolve to the same file.
This is a common security anti-pattern when applications developed or tested on case-sensitive file systems (Linux) are deployed on case-insensitive systems (Windows). The protection mechanism becomes ineffective because the validation does not normalize paths before comparison.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker sends HTTP requests to the /api/file/getFile endpoint with manipulated file paths using mixed-case variations.
For example, if the application blocks access to /data/config.json, an attacker might request /data/CONFIG.json or /Data/Config.JSON. The case-sensitive security check would not match these variations against the blocklist, allowing the request to proceed. The Windows file system then resolves the path to the protected file regardless of case, granting unauthorized read access.
The attacker can systematically enumerate case variations to discover which protected files become accessible through this bypass technique. For detailed technical information, see the GitHub Security Advisory GHSA-f72r-2h5j-7639.
Detection Methods for CVE-2026-25992
Indicators of Compromise
- Unusual requests to /api/file/getFile endpoint with mixed-case file paths
- Access patterns targeting known configuration file names with case variations
- High volume of file access requests from single IP addresses testing path variations
- HTTP 200 responses for file paths that should be restricted
Detection Strategies
- Implement web application firewall rules to detect mixed-case path manipulation attempts
- Monitor API access logs for requests containing unusual capitalization patterns in file paths
- Deploy anomaly detection for file access API endpoints tracking request patterns
- Create SIEM correlation rules for multiple failed/successful file access attempts from the same source
Monitoring Recommendations
- Enable detailed logging for the /api/file/getFile endpoint including requested paths
- Monitor for unauthorized access to configuration files such as conf.json and similar sensitive files
- Set up alerts for file access requests containing path traversal indicators combined with case variations
- Track and baseline normal file access patterns to identify anomalous behavior
How to Mitigate CVE-2026-25992
Immediate Actions Required
- Upgrade SiYuan to version 3.5.5 or later immediately
- Restrict network access to SiYuan installations until patching is complete
- Review access logs for any indicators of prior exploitation attempts
- Implement network segmentation to limit exposure of vulnerable instances
Patch Information
The vulnerability has been fixed in SiYuan version 3.5.5. The patch implements case-insensitive path comparisons that properly handle file system behavior across different operating systems. Users should upgrade immediately by downloading the latest release from the official GitHub releases page.
For full details on the security fix, refer to the GitHub Security Advisory GHSA-f72r-2h5j-7639.
Workarounds
- Deploy SiYuan behind a reverse proxy with strict path filtering that normalizes case before forwarding requests
- Implement network-level access controls to restrict which hosts can reach the SiYuan API
- Run SiYuan on Linux or other case-sensitive file systems where the vulnerability cannot be exploited
- Use web application firewall rules to block requests with suspicious case patterns to file endpoints
# Example: Restrict network access to SiYuan while patching
# Block external access to SiYuan API port (default 6806)
iptables -A INPUT -p tcp --dport 6806 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6806 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
