CVE-2026-33670: SiYuan Path Traversal Vulnerability

CVE-2026-33670 Overview

CVE-2026-33670 is a Path Traversal vulnerability affecting SiYuan, a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was vulnerable to directory traversal attacks, allowing attackers to traverse and retrieve the file names of all documents under a notebook. This vulnerability enables unauthorized access to sensitive file system information that should be restricted.

Critical Impact

This path traversal vulnerability allows unauthenticated remote attackers to enumerate and access file names across the entire notebook structure, potentially exposing sensitive document metadata and enabling further targeted attacks.

Affected Products

• SiYuan versions prior to 3.6.2
• SiYuan personal knowledge management system (all platforms)

Discovery Timeline

• 2026-03-26 - CVE CVE-2026-33670 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33670

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The vulnerability exists in the /api/file/readDir API endpoint, which fails to properly validate and sanitize user-supplied path parameters before processing directory listing requests.

The flaw allows attackers to manipulate the path parameter by injecting directory traversal sequences (such as ../) to escape the intended notebook directory scope. Without proper input validation, the API processes these malicious path values and returns file listings from arbitrary directories accessible to the application process. This enables complete enumeration of the notebook's file structure and potentially exposes sensitive document names and organizational metadata.

Root Cause

The root cause is insufficient input validation in the /api/file/readDir endpoint. The application fails to implement proper path canonicalization and boundary checks that would prevent directory traversal sequences from escaping the designated notebook directory. The API accepts user-controlled path input without sanitizing path traversal characters, allowing attackers to construct requests that reference directories outside the intended scope.

Attack Vector

This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft malicious HTTP requests to the /api/file/readDir endpoint with directory traversal sequences in the path parameter. The attack can be performed remotely against any exposed SiYuan instance, making it particularly dangerous for deployments accessible over the internet or shared networks.

The attack flow involves:

1. Identifying a vulnerable SiYuan instance with an exposed API
2. Crafting requests with path traversal sequences targeting the /api/file/readDir endpoint
3. Iteratively enumerating directory contents to map the notebook structure
4. Using discovered file names to plan further exploitation or data exfiltration

For technical implementation details of this vulnerability, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33670

Indicators of Compromise

• HTTP requests to /api/file/readDir containing path traversal sequences such as ../, ..%2f, or ..%5c
• Unusual volume of API calls to the /api/file/readDir endpoint from a single source
• Access logs showing directory enumeration patterns with incrementing path depths
• Error logs indicating failed path resolution or access denied attempts on parent directories

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block path traversal patterns in API requests
• Monitor application logs for requests containing encoded or plain directory traversal sequences
• Deploy intrusion detection system (IDS) signatures targeting the /api/file/readDir endpoint with suspicious path parameters
• Configure SIEM alerts for anomalous API access patterns indicating automated directory enumeration

Monitoring Recommendations

• Enable detailed access logging for all API endpoints in SiYuan
• Set up real-time alerting for requests matching path traversal regex patterns
• Monitor for unusual network connections to SiYuan instances from external or untrusted sources
• Implement rate limiting on the /api/file/readDir endpoint to slow enumeration attempts

How to Mitigate CVE-2026-33670

Immediate Actions Required

• Upgrade SiYuan to version 3.6.2 or later immediately
• If upgrading is not immediately possible, restrict network access to the SiYuan API endpoints
• Implement network-level access controls to limit API exposure to trusted sources only
• Review access logs for evidence of exploitation attempts targeting the vulnerable endpoint

Patch Information

The vulnerability has been patched in SiYuan version 3.6.2. Users should upgrade to this version or later to remediate the vulnerability. The fix implements proper path validation and sanitization to prevent directory traversal attacks on the /api/file/readDir endpoint. For detailed patch information, consult the GitHub Security Advisory.

Workarounds

• Place SiYuan behind a reverse proxy with WAF capabilities that blocks path traversal patterns
• Restrict access to the SiYuan instance using firewall rules to allow only trusted IP addresses
• Disable or restrict access to the /api/file/readDir endpoint if not required for normal operation
• Deploy network segmentation to isolate the SiYuan instance from untrusted networks

# Example: Restrict access to SiYuan using iptables (Linux)
# Allow only specific trusted IP to access SiYuan port
iptables -A INPUT -p tcp --dport 6806 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 6806 -j DROP