CVE-2026-33669 Overview
SiYuan is a personal knowledge management system that allows users to organize notes, documents, and knowledge bases. Prior to version 3.6.2, a critical information disclosure vulnerability exists where document IDs can be retrieved via the /api/file/readDir interface, which subsequently allows attackers to use the /api/block/getChildBlocks interface to view the content of all documents stored in the system. This vulnerability enables unauthorized access to sensitive user data without requiring authentication.
Critical Impact
Unauthenticated attackers can enumerate and read all document contents in SiYuan installations, potentially exposing sensitive personal knowledge bases, notes, and confidential information stored by users.
Affected Products
- SiYuan versions prior to 3.6.2
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33669 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33669
Vulnerability Analysis
This vulnerability represents an information disclosure flaw stemming from insufficient access controls on critical API endpoints. The SiYuan application exposes two API interfaces that, when combined, allow complete enumeration and retrieval of user documents without proper authorization checks.
The first API endpoint, /api/file/readDir, returns directory listings that include document identifiers. These document IDs are internal references used by SiYuan to organize and retrieve content. Without proper access controls, any user who can reach the API can retrieve these identifiers.
The second endpoint, /api/block/getChildBlocks, accepts document IDs as parameters and returns the full content of the specified documents. Because neither endpoint implements adequate authentication or authorization verification, an attacker can chain these two calls to systematically extract all document contents from a SiYuan installation.
Root Cause
The root cause is a broken access control design (CWE-125: Out-of-bounds Read is listed, though the vulnerability behavior more closely aligns with improper access control). The API endpoints fail to verify that the requesting user has appropriate permissions to access the requested resources. This architectural flaw allows unauthenticated requests to retrieve sensitive document data that should only be accessible to authenticated and authorized users.
Attack Vector
The attack is network-based and requires no privileges, authentication, or user interaction. An attacker can exploit this vulnerability by:
- Sending a request to /api/file/readDir to enumerate all document identifiers stored in the SiYuan instance
- Iterating through the returned document IDs and calling /api/block/getChildBlocks for each identifier
- Collecting and exfiltrating all document contents returned by the API
This attack chain allows complete extraction of a user's personal knowledge base, which may contain sensitive personal notes, passwords, confidential business information, or other private data.
Detection Methods for CVE-2026-33669
Indicators of Compromise
- Unusual or excessive requests to /api/file/readDir endpoint from unknown IP addresses
- High volume of sequential calls to /api/block/getChildBlocks with incrementing or enumerated document IDs
- Access logs showing API requests from unauthenticated sessions or external networks
- Network traffic analysis revealing bulk data extraction patterns from the SiYuan application
Detection Strategies
- Monitor web server access logs for repeated access patterns to the vulnerable API endpoints
- Implement rate limiting alerts for API calls exceeding normal usage thresholds
- Deploy web application firewall (WAF) rules to detect and block enumeration attempts on SiYuan APIs
- Use network traffic analysis to identify large data transfers from SiYuan instances to external addresses
Monitoring Recommendations
- Enable detailed logging for all API endpoints, particularly /api/file/readDir and /api/block/getChildBlocks
- Configure alerting for unauthenticated API access attempts
- Review access logs regularly for signs of document enumeration or mass content retrieval
- Monitor for connections to SiYuan from unexpected network ranges or geographic locations
How to Mitigate CVE-2026-33669
Immediate Actions Required
- Upgrade SiYuan to version 3.6.2 or later immediately
- Restrict network access to SiYuan instances to trusted IP ranges or networks only
- Review access logs to determine if the vulnerability may have been exploited
- Consider rotating any sensitive credentials or information that may have been stored in SiYuan documents
Patch Information
The vulnerability has been patched in SiYuan version 3.6.2. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Place SiYuan behind a reverse proxy with authentication requirements
- Implement network-level access controls to restrict access to trusted users only
- Use firewall rules to block external access to SiYuan API endpoints until patching is possible
- If possible, take SiYuan offline or disconnect it from the network until the update can be applied
# Example: Restrict access to SiYuan using iptables (Linux)
# Allow only localhost and trusted network to access SiYuan port
iptables -A INPUT -p tcp --dport 6806 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6806 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6806 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
