CVE-2026-32938 Overview
CVE-2026-32938 is a Path Traversal vulnerability affecting SiYuan, a personal knowledge management system developed by B3log. The vulnerability exists in the /api/lute/html2BlockDOM endpoint on the desktop application, which copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. When combined with the GET /assets/*path endpoint (which only requires authentication), an attacker with publish-service access can cause the desktop kernel to copy any readable sensitive file and subsequently exfiltrate it.
Critical Impact
Authenticated attackers can exfiltrate sensitive files from the host system by exploiting improper path validation in the HTML processing endpoint, potentially exposing credentials, configuration files, and other confidential data.
Affected Products
- B3log SiYuan versions 3.6.0 and below
Discovery Timeline
- 2026-03-20 - CVE-2026-32938 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32938
Vulnerability Analysis
This vulnerability stems from insufficient input validation in SiYuan's HTML-to-BlockDOM conversion functionality. The /api/lute/html2BlockDOM endpoint processes HTML content that may contain file:// protocol links. When a user pastes HTML content containing these links, the application automatically copies the referenced local files into the workspace assets directory without checking whether the file path points to sensitive system locations.
The attack chain involves two components working together. First, the attacker crafts malicious HTML containing file:// links pointing to sensitive files on the target system (such as /etc/passwd, SSH keys, or application configuration files). When this HTML is processed by the vulnerable endpoint, the referenced files are copied to the assets directory. Second, the attacker can then retrieve these copied files via the GET /assets/*path endpoint, which requires only basic authentication that publish-service visitors possess.
Root Cause
The root cause is a CWE-22 (Path Traversal) vulnerability resulting from missing path validation against a sensitive-path allowlist or denylist. The application fails to sanitize or validate file paths specified in file:// URLs before performing file copy operations, allowing arbitrary readable files on the system to be accessed and exfiltrated.
Attack Vector
The attack is network-based and requires low-privilege authentication (publish-service visitor access). The attacker must be able to interact with the SiYuan desktop kernel's API endpoints. The exploitation flow involves:
- An authenticated attacker with publish-service access crafts HTML content containing file:// links to sensitive local files
- The malicious HTML is submitted to the /api/lute/html2BlockDOM endpoint
- The vulnerable endpoint copies the referenced files to the workspace assets directory without path validation
- The attacker retrieves the exfiltrated files via GET /assets/*path requests
The vulnerability does not require user interaction once the attacker has authenticated access, and the confidentiality impact is high as any readable file on the system can potentially be exfiltrated.
Detection Methods for CVE-2026-32938
Indicators of Compromise
- Unusual API requests to /api/lute/html2BlockDOM containing file:// protocol references
- Unexpected files appearing in the SiYuan workspace assets directory
- HTTP requests to /assets/*path for files that should not exist in the assets directory
- Log entries showing access to system paths like /etc/, ~/.ssh/, or application configuration directories
Detection Strategies
- Monitor API access logs for /api/lute/html2BlockDOM requests containing suspicious file:// URLs
- Implement file integrity monitoring on the SiYuan assets directory to detect unexpected file additions
- Review authentication logs for unusual publish-service visitor activity patterns
- Deploy network monitoring to detect exfiltration attempts via the assets endpoint
Monitoring Recommendations
- Enable verbose logging for SiYuan API endpoints to capture request payloads
- Configure alerts for file system operations involving sensitive directories
- Monitor for anomalous data transfer patterns from the SiYuan application
- Implement regular audits of files stored in the workspace assets directory
How to Mitigate CVE-2026-32938
Immediate Actions Required
- Upgrade SiYuan to version 3.6.1 or later immediately
- Review access logs for any signs of exploitation prior to patching
- Audit the workspace assets directory for any sensitive files that may have been copied
- Restrict publish-service access to trusted users only until patching is complete
Patch Information
B3log has released version 3.6.1 which addresses this vulnerability. The fix implements proper path validation to prevent file:// links from accessing sensitive file paths. The security patch is available via the GitHub Release v3.6.1. Additional details can be found in the GitHub Security Advisory GHSA-fq2j-j8hc-8vw8 and the commit that addresses this issue.
Workarounds
- Disable or restrict access to the publish-service feature until the patch can be applied
- Implement network-level access controls to limit who can reach the SiYuan API endpoints
- Run SiYuan with reduced file system permissions to minimize the scope of potential file access
- Deploy a reverse proxy with request filtering to block suspicious file:// URL patterns in API requests
# Example: Restricting SiYuan to localhost access only
# Add to your firewall or reverse proxy configuration
# Block external access to sensitive API endpoints
iptables -A INPUT -p tcp --dport 6806 ! -s 127.0.0.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
