CVE-2026-30869 Overview
A critical path traversal vulnerability exists in SiYuan, a personal knowledge management system, prior to version 3.5.10. The vulnerability resides in the /export endpoint and allows unauthenticated attackers to read arbitrary files from the server filesystem. By exploiting double-encoded traversal sequences, attackers can bypass input validation and access sensitive configuration files, including conf/conf.json, which contains critical secrets such as the API token, cookie signing key, and workspace access authentication code.
Critical Impact
Successful exploitation enables unauthorized access to sensitive configuration files containing API tokens and authentication secrets. This could lead to full administrative access to the SiYuan kernel API and potentially be chained into remote code execution (RCE) in certain deployment scenarios.
Affected Products
- SiYuan personal knowledge management system versions prior to 3.5.10
- Self-hosted SiYuan deployments with exposed /export endpoints
- SiYuan instances accessible over the network
Discovery Timeline
- 2026-03-10 - CVE-2026-30869 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30869
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects the /export endpoint in SiYuan's web interface. The core issue stems from inadequate input validation when processing file path parameters in export requests. Attackers can craft malicious requests using double-encoded directory traversal sequences (such as %252e%252e%252f which decodes to ../) to escape the intended directory context and access files anywhere on the server filesystem.
The vulnerability is particularly severe because the exposed conf/conf.json file contains multiple high-value secrets. The API token provides direct access to the SiYuan kernel API with administrative privileges. The cookie signing key could be used to forge session cookies, and the workspace access authentication code could grant unauthorized access to protected workspaces. In environments where SiYuan has elevated privileges or where additional exploitation primitives exist, this information disclosure vulnerability could serve as the initial foothold for a complete system compromise.
Root Cause
The root cause is improper input sanitization in the /export endpoint's file path handling logic. The application fails to properly decode and validate user-supplied path components before constructing file system paths. Specifically, the endpoint appears to perform only single-pass URL decoding, allowing double-encoded traversal sequences to bypass security checks. After the first decode pass, the malicious %252e%252e%252f becomes %2e%2e%2f, which then gets decoded again during file access operations to become ../, enabling directory traversal.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker sends a specially crafted HTTP request to the /export endpoint with double-encoded path traversal sequences in the file path parameter. The server processes the request without proper validation, resulting in the disclosure of arbitrary files that the web server process has permission to read.
The attack flow consists of:
- Attacker identifies a SiYuan instance with an exposed /export endpoint
- Attacker crafts a request with double-encoded traversal sequences targeting sensitive files
- Server decodes the input and constructs a file path that escapes the intended directory
- Server returns the contents of the requested file, such as conf/conf.json
- Attacker extracts API tokens and authentication secrets from the response
- Attacker uses stolen credentials to access the SiYuan kernel API with administrative privileges
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-30869
Indicators of Compromise
- HTTP requests to /export endpoints containing encoded traversal sequences such as %252e, %252f, or ..
- Unusual access patterns to the /export endpoint from external IP addresses
- Web server logs showing requests attempting to access conf/conf.json or other sensitive system files
- Authentication events using API tokens from unexpected source addresses
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block double-encoded path traversal patterns
- Implement anomaly detection for the /export endpoint focusing on unusual request patterns and file path parameters
- Monitor for failed and successful authentication attempts to the SiYuan kernel API from new or suspicious sources
- Use intrusion detection systems (IDS) with signatures for path traversal attack patterns
Monitoring Recommendations
- Enable detailed access logging for all requests to the /export endpoint
- Configure alerting for any requests containing URL-encoded directory traversal sequences
- Monitor file access patterns on the server to detect reads of configuration files from web application contexts
- Implement real-time log analysis to correlate path traversal attempts with subsequent API authentication events
How to Mitigate CVE-2026-30869
Immediate Actions Required
- Upgrade SiYuan to version 3.5.10 or later immediately
- Rotate all API tokens, cookie signing keys, and workspace access authentication codes if exploitation is suspected
- Restrict network access to SiYuan instances using firewall rules or network segmentation
- Review web server logs for evidence of exploitation attempts
Patch Information
The vulnerability has been fixed in SiYuan version 3.5.10. The patch addresses the input validation issue in the /export endpoint by implementing proper multi-pass URL decoding validation and path canonicalization before file access operations. Users should upgrade to version 3.5.10 or later to remediate this vulnerability. For more details, see the GitHub Security Advisory.
Workarounds
- Restrict access to the /export endpoint at the reverse proxy or network level if upgrading is not immediately possible
- Place SiYuan behind a WAF configured to block requests containing encoded directory traversal sequences
- Disable external network access to SiYuan and restrict usage to trusted internal networks only
- Implement IP allowlisting to limit access to known trusted addresses
# Example nginx configuration to restrict /export endpoint access
location /export {
# Allow only trusted internal networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Additional protection: block common traversal patterns
if ($request_uri ~* "(\%252e|\%2e|\.\.)" ) {
return 403;
}
proxy_pass http://siyuan_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
