CVE-2026-29073 Overview
CVE-2026-29073 is a SQL Injection vulnerability affecting SiYuan, a personal knowledge management system developed by B3log. The vulnerability exists in the /api/query/sql endpoint, which allows authenticated users to execute arbitrary SQL queries directly against the database. The flaw stems from insufficient authorization checks—while the endpoint validates basic authentication, it fails to verify administrative privileges, enabling any logged-in user, including those with read-only permissions, to execute unrestricted SQL queries.
Critical Impact
Any authenticated user, regardless of privilege level, can execute arbitrary SQL queries against the SiYuan database, potentially exposing all stored knowledge base data and sensitive information.
Affected Products
- B3log SiYuan versions prior to 3.6.0
- SiYuan personal knowledge management deployments with multi-user access
- Self-hosted SiYuan instances with authenticated user access
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29073 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29073
Vulnerability Analysis
This vulnerability represents a classic broken access control flaw combined with direct SQL execution capabilities. The /api/query/sql API endpoint in SiYuan is designed to provide database query functionality, but the implementation only verifies that a user is authenticated without checking whether that user possesses administrative privileges required for such sensitive operations.
In multi-user SiYuan deployments, this creates a significant security gap where read-only users—who should only have view access to specific content—can bypass intended access restrictions and directly query the underlying database. This effectively elevates their privileges to database administrator level for read operations.
The vulnerability is classified under CWE-89 (SQL Injection), as the endpoint permits direct SQL query execution without proper input sanitization or authorization controls.
Root Cause
The root cause of CVE-2026-29073 lies in the incomplete authorization model implemented for the /api/query/sql endpoint. The developers implemented authentication verification (ensuring users are logged in) but failed to implement authorization checks (ensuring users have appropriate privileges for the requested action). This represents a violation of the principle of least privilege, where the API should restrict powerful database operations to administrative users only.
Attack Vector
The attack vector for this vulnerability is network-based and requires low-privilege authenticated access. An attacker with any valid user account in a SiYuan instance can exploit this vulnerability through the following mechanism:
- Authenticate to the SiYuan application with any valid user credentials (even read-only accounts)
- Send a crafted HTTP request to the /api/query/sql endpoint
- Include arbitrary SQL queries in the request body
- Receive direct database query results, bypassing all content-level access controls
The vulnerability allows attackers to enumerate database schemas, extract sensitive knowledge base content, access user information, and potentially discover additional attack vectors through database reconnaissance.
Detection Methods for CVE-2026-29073
Indicators of Compromise
- Unusual API requests to /api/query/sql from non-administrative user accounts
- High volume of SQL query requests from a single user session
- SQL queries accessing sensitive tables or performing data enumeration (e.g., SELECT * FROM patterns)
- Read-only users generating database query activity in access logs
Detection Strategies
- Monitor API access logs for requests to the /api/query/sql endpoint and correlate with user privilege levels
- Implement anomaly detection for database query patterns that deviate from normal administrative activity
- Deploy web application firewall (WAF) rules to flag direct SQL execution attempts from low-privilege sessions
- Enable detailed request logging for the SiYuan API layer to capture query content
Monitoring Recommendations
- Configure alerting for any /api/query/sql requests from users without administrative roles
- Establish baseline metrics for database query volume and set thresholds for anomaly detection
- Review SiYuan access logs regularly for evidence of unauthorized SQL query execution
- Implement real-time monitoring of database read operations correlated with API request origins
How to Mitigate CVE-2026-29073
Immediate Actions Required
- Upgrade SiYuan to version 3.6.0 or later immediately, as this version contains the security patch
- Audit existing user accounts and remove or restrict access for any unnecessary low-privilege users
- Review API access logs for evidence of exploitation prior to patching
- Consider temporarily restricting network access to SiYuan instances until patching is complete
Patch Information
B3log has released SiYuan version 3.6.0 which addresses this vulnerability by implementing proper authorization checks on the /api/query/sql endpoint. The patch ensures that only users with administrative privileges can execute direct SQL queries. Organizations should update to this version as the primary remediation. For technical details about the security fix, refer to the GitHub Security Advisory GHSA-jqwg-75qf-vmf9.
Workarounds
- Restrict network access to SiYuan instances using firewall rules or VPN requirements
- Implement a reverse proxy with additional authorization checks for the /api/query/sql endpoint
- Disable multi-user access and operate SiYuan in single-user mode until patching is possible
- Deploy a WAF rule to block requests to /api/query/sql from non-administrative IP ranges or user sessions
# Example nginx reverse proxy rule to restrict SQL API access
location /api/query/sql {
# Allow only from trusted admin IPs
allow 192.168.1.100;
deny all;
proxy_pass http://siyuan_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
