CVE-2026-40318: SiYuan Path Traversal Vulnerability

CVE-2026-40318 Overview

CVE-2026-40318 is a Path Traversal vulnerability affecting SiYuan, an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal sequences such as ../ into the id value to escape the intended directory and delete arbitrary .json files on the server, including global configuration files and workspace metadata.

Critical Impact
This vulnerability allows authenticated attackers to delete arbitrary JSON files on the server, potentially leading to data loss, denial of service, or system misconfiguration by removing critical application configuration files.

Affected Products

SiYuan versions 3.6.3 and prior
SiYuan personal knowledge management system deployments with network-accessible API endpoints

Discovery Timeline

2026-04-16 - CVE-2026-40318 published to NVD
2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-40318

Vulnerability Analysis

This vulnerability is classified under CWE-24 (Path Traversal: '../filedir'), a weakness where application logic accepts user input and uses it to construct file paths without proper sanitization. In this case, the SiYuan application's /api/av/removeUnusedAttributeView endpoint takes an id parameter from user requests and directly incorporates it into filesystem operations intended to remove attribute view files.

The absence of path boundary enforcement means that attackers with authenticated access can manipulate the id parameter to include directory traversal sequences. By crafting malicious requests containing ../ patterns, an attacker can navigate outside the intended working directory and target any .json file accessible to the application's process user. This could include application configuration files, workspace metadata, user settings, or other critical JSON-formatted data structures.

The network-based attack vector combined with the low complexity of exploitation makes this vulnerability particularly concerning for self-hosted SiYuan instances exposed to untrusted networks.

Root Cause

The root cause of CVE-2026-40318 lies in insufficient input validation within the /api/av/removeUnusedAttributeView endpoint. The application fails to sanitize or validate the id parameter before using it to construct filesystem paths. Specifically, the code does not:

Restrict the id parameter to expected character sets (alphanumeric identifiers)
Strip or reject path traversal sequences (../, ..\\)
Canonicalize paths and verify they remain within expected directory boundaries
Implement allowlist validation against known valid attribute view identifiers

Attack Vector

The attack is executed over the network against the SiYuan API. An authenticated attacker sends a crafted HTTP request to the vulnerable endpoint with a malicious id parameter containing path traversal sequences. The attack flow is as follows:

Attacker authenticates to the SiYuan application (requires low-level privileges)
Attacker crafts a request to /api/av/removeUnusedAttributeView with an id value such as ../../../config/settings or similar traversal patterns
The application constructs a file path by concatenating the base directory with the malicious id and appending .json
The resulting path points to an arbitrary location outside the intended attribute view directory
The application deletes the targeted file, potentially causing data loss or service disruption

For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-40318

Indicators of Compromise

HTTP requests to /api/av/removeUnusedAttributeView containing ../ or ..\\ sequences in the id parameter
Unexpected deletion of .json files outside the attribute view storage directory
Application configuration files or workspace metadata files disappearing without user action
Error logs indicating file not found errors for critical configuration files after API activity

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns (../, ..%2f, ..\\) in API request parameters
Monitor API access logs for requests to /api/av/removeUnusedAttributeView with unusually long or suspicious id parameter values
Deploy file integrity monitoring (FIM) on critical SiYuan configuration directories to detect unauthorized deletions
Configure alerting on HTTP 200 responses to the vulnerable endpoint combined with path traversal pattern detection

Monitoring Recommendations

Enable detailed access logging for all SiYuan API endpoints with full request parameter capture
Set up real-time alerts for any path traversal patterns detected in incoming requests
Monitor filesystem events for deletion operations on .json files outside expected attribute view directories
Review authentication logs for unusual access patterns preceding file deletion events

How to Mitigate CVE-2026-40318

Immediate Actions Required

Upgrade SiYuan to version 3.6.4 or later immediately to remediate this vulnerability
If immediate patching is not possible, restrict network access to the SiYuan instance to trusted users and networks only
Review recent access logs for evidence of exploitation attempts targeting the /api/av/removeUnusedAttributeView endpoint
Verify integrity of critical configuration and workspace files; restore from backup if tampering is detected
Consider temporarily disabling or blocking access to the vulnerable endpoint via reverse proxy rules until patching is complete

Patch Information

The vulnerability has been fixed in SiYuan version 3.6.4. Organizations should upgrade to this version or later to address the security issue. The patch implements proper input validation and path boundary enforcement for the id parameter in the affected endpoint.

For patch details and release notes, see the GitHub Release v3.6.4.

Workarounds

Deploy a reverse proxy or WAF in front of SiYuan to filter requests containing path traversal sequences
Restrict access to SiYuan to localhost only and access via SSH tunnel or VPN for remote usage
Implement network segmentation to limit exposure of the SiYuan instance to untrusted networks
Create backup routines for critical configuration files to enable rapid recovery if exploitation occurs

bash

# Example nginx configuration to block path traversal attempts
location /api/av/removeUnusedAttributeView {
    # Block requests with path traversal patterns
    if ($request_uri ~* "(\.\./|\.\.\\)") {
        return 403;
    }
    proxy_pass http://localhost:6806;
}

CVE-2026-40318 Overview

Critical Impact
This vulnerability allows authenticated attackers to delete arbitrary JSON files on the server, potentially leading to data loss, denial of service, or system misconfiguration by removing critical application configuration files.

Affected Products

SiYuan versions 3.6.3 and prior
SiYuan personal knowledge management system deployments with network-accessible API endpoints

Discovery Timeline

2026-04-16 - CVE-2026-40318 published to NVD
2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-40318

Vulnerability Analysis

The network-based attack vector combined with the low complexity of exploitation makes this vulnerability particularly concerning for self-hosted SiYuan instances exposed to untrusted networks.

Root Cause

Restrict the id parameter to expected character sets (alphanumeric identifiers)
Strip or reject path traversal sequences (../, ..\\)
Canonicalize paths and verify they remain within expected directory boundaries
Implement allowlist validation against known valid attribute view identifiers

Attack Vector

Attacker authenticates to the SiYuan application (requires low-level privileges)
Attacker crafts a request to /api/av/removeUnusedAttributeView with an id value such as ../../../config/settings or similar traversal patterns
The application constructs a file path by concatenating the base directory with the malicious id and appending .json
The resulting path points to an arbitrary location outside the intended attribute view directory
The application deletes the targeted file, potentially causing data loss or service disruption

For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-40318

Indicators of Compromise

HTTP requests to /api/av/removeUnusedAttributeView containing ../ or ..\\ sequences in the id parameter
Unexpected deletion of .json files outside the attribute view storage directory
Application configuration files or workspace metadata files disappearing without user action
Error logs indicating file not found errors for critical configuration files after API activity

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns (../, ..%2f, ..\\) in API request parameters
Monitor API access logs for requests to /api/av/removeUnusedAttributeView with unusually long or suspicious id parameter values
Deploy file integrity monitoring (FIM) on critical SiYuan configuration directories to detect unauthorized deletions
Configure alerting on HTTP 200 responses to the vulnerable endpoint combined with path traversal pattern detection

Monitoring Recommendations

Enable detailed access logging for all SiYuan API endpoints with full request parameter capture
Set up real-time alerts for any path traversal patterns detected in incoming requests
Monitor filesystem events for deletion operations on .json files outside expected attribute view directories
Review authentication logs for unusual access patterns preceding file deletion events

How to Mitigate CVE-2026-40318

Immediate Actions Required

Upgrade SiYuan to version 3.6.4 or later immediately to remediate this vulnerability
If immediate patching is not possible, restrict network access to the SiYuan instance to trusted users and networks only
Review recent access logs for evidence of exploitation attempts targeting the /api/av/removeUnusedAttributeView endpoint
Verify integrity of critical configuration and workspace files; restore from backup if tampering is detected
Consider temporarily disabling or blocking access to the vulnerable endpoint via reverse proxy rules until patching is complete

Patch Information

For patch details and release notes, see the GitHub Release v3.6.4.

Workarounds

Deploy a reverse proxy or WAF in front of SiYuan to filter requests containing path traversal sequences
Restrict access to SiYuan to localhost only and access via SSH tunnel or VPN for remote usage
Implement network segmentation to limit exposure of the SiYuan instance to untrusted networks
Create backup routines for critical configuration files to enable rapid recovery if exploitation occurs

bash

# Example nginx configuration to block path traversal attempts
location /api/av/removeUnusedAttributeView {
    # Block requests with path traversal patterns
    if ($request_uri ~* "(\.\./|\.\.\\)") {
        return 403;
    }
    proxy_pass http://localhost:6806;
}

CVE-2026-40318: SiYuan Path Traversal Vulnerability

CVE-2026-40318 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40318

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40318

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40318

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40318: SiYuan Path Traversal Vulnerability

CVE-2026-40318 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40318

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40318

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40318

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform