CVE-2026-33194 Overview
CVE-2026-33194 is a path traversal vulnerability affecting SiYuan, a personal knowledge management system developed by B3log. The vulnerability exists in the IsSensitivePath() function located in kernel/util/path.go, which implements an incomplete denylist approach for restricting access to sensitive file system directories. Despite recent security improvements (GHSA-h5vh-m7fg-w5h6, commit 9914fd1), the denylist remains incomplete, allowing attackers to access files outside the intended workspace.
Critical Impact
Authenticated attackers with high privileges can read sensitive files from unprotected Linux directories including /opt, /usr, /home, /mnt, and /media, potentially exposing application data, user configurations, and mounted volumes across system boundaries.
Affected Products
- B3log SiYuan versions prior to 3.6.2
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33194 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33194
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from an incomplete implementation of security controls in SiYuan's file access validation mechanism. The IsSensitivePath() function in kernel/util/path.go is designed to prevent users from accessing files outside their designated workspace. However, the function employs a denylist approach that fails to block several security-critical Linux directories.
The vulnerability affects two API endpoints that rely on IsSensitivePath() as their primary defense mechanism: globalCopyFiles and importStdMd. When these endpoints receive requests targeting paths in unblocked directories, the incomplete validation allows the operation to proceed, enabling unauthorized file access.
Root Cause
The root cause of this vulnerability is the use of an incomplete denylist in the IsSensitivePath() function. While the function was recently updated in commit 9914fd1 to address a prior security issue (GHSA-h5vh-m7fg-w5h6), the expanded denylist still omits critical directories. The following paths remain unprotected:
- /opt - Contains third-party application data and configurations
- /usr - Contains local configurations and binaries
- /home - Contains home directories of other system users
- /mnt and /media - Contain mounted external volumes and storage devices
This architectural flaw means that any authenticated user with sufficient privileges can leverage the globalCopyFiles or importStdMd endpoints to read files from these unprotected directories.
Attack Vector
The attack is network-based and requires authenticated access with high privileges. An attacker must first obtain valid credentials with elevated permissions within the SiYuan application. Once authenticated, the attacker can craft requests to the globalCopyFiles or importStdMd endpoints, specifying file paths within the unprotected directories.
Since the IsSensitivePath() function does not block these paths, the request bypasses the intended security controls, allowing the attacker to copy or import files from outside the designated workspace. This could expose sensitive data including other users' files in /home, application secrets in /opt, or data from mounted external storage in /mnt or /media.
The vulnerability has a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component's security authority, potentially affecting the confidentiality of the entire host system.
Detection Methods for CVE-2026-33194
Indicators of Compromise
- Unexpected file access or copy operations targeting /opt, /usr, /home, /mnt, or /media directories through SiYuan
- Anomalous API requests to globalCopyFiles or importStdMd endpoints containing path traversal patterns
- Access logs showing authenticated users requesting files outside their normal workspace scope
Detection Strategies
- Monitor SiYuan application logs for file operations targeting system directories outside the user workspace
- Implement network traffic analysis to detect requests to vulnerable endpoints with suspicious path parameters
- Enable file integrity monitoring on sensitive directories to detect unauthorized access attempts
- Review audit logs for high-privilege user activity involving file import or copy operations
Monitoring Recommendations
- Configure alerting for any globalCopyFiles or importStdMd API calls containing absolute paths to system directories
- Implement behavioral analytics to identify users accessing files outside their typical workspace patterns
- Deploy endpoint detection and response (EDR) solutions to monitor file system access patterns on systems running SiYuan
How to Mitigate CVE-2026-33194
Immediate Actions Required
- Upgrade B3log SiYuan to version 3.6.2 or later immediately
- Audit access logs for any suspicious file access attempts targeting system directories
- Review user privileges and enforce least-privilege principles for SiYuan accounts
- Consider implementing network segmentation to limit SiYuan's access to sensitive file system areas
Patch Information
B3log has released version 3.6.2 of SiYuan which contains an updated fix for this vulnerability. Organizations running affected versions should upgrade immediately. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-vm69-h85x-8p85.
Workarounds
- Restrict network access to the SiYuan application to trusted users and networks only
- Implement additional access controls at the operating system level to prevent SiYuan from reading sensitive directories
- Run SiYuan in a containerized environment with limited file system access
- Use a web application firewall (WAF) to filter requests containing path traversal patterns targeting the vulnerable endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
