SiYuan Path Traversal (CVE-2026-30869)

Overview

A critical security vulnerability has been discovered in the SiYuan personal knowledge management software. This flaw, tracked as CVE-2026-30869, allows an attacker to read sensitive files directly from the server’s filesystem. The vulnerability is present in versions prior to 3.5.10.

Vulnerability Details

In simple terms, this is a path traversal vulnerability. The /export endpoint in SiYuan did not properly validate user input. An attacker could craft a specific request containing double-encoded directory traversal sequences (like ../) to break out of the intended directory and access any file the server process can read.

By exploiting this, an attacker can target the conf/conf.json file, which acts as a central store for critical application secrets.

Impact and Risks

The impact of this vulnerability is severe. Successfully reading the conf.json file exposes several high-value secrets:

• API Token
• Cookie Signing Key
• Workspace Access Authentication Code

With these credentials, an attacker could gain administrative access to the SiYuan kernel API. This level of access allows for data theft, manipulation, or deletion of all knowledge base content. In certain deployment scenarios-particularly where SiYuan is integrated with other systems or runs with elevated privileges-this breach could be chained with other attacks to achieve full remote code execution (RCE), granting complete control over the host server.

This type of credential leak is a common precursor to significant security incidents. For context on how stolen credentials can lead to data breaches, you can review past incidents at breach reports.

Remediation and Mitigation

The only complete solution is to upgrade immediately.

Primary Action: Patch

• Upgrade SiYuan to version 3.5.10 or later. This version contains the fix that properly sanitizes input to the affected endpoint.

Immediate Mitigations (If Patching is Delayed):

• Restrict Network Access: Ensure the SiYuan instance is not exposed directly to the internet. Place it behind a firewall or VPN, limiting access to only trusted, necessary users.
• Review Access Logs: Monitor server logs for suspicious access attempts to the /export endpoint, especially those containing unusual path characters.
• Assume Compromise: If you suspect exploitation, consider your API token and other secrets in conf.json as compromised. They should be rotated after applying the patch.

Stay informed about critical vulnerabilities like this by following the latest security news. Do not delay applying this update, as the public disclosure increases the risk of active exploitation.