CVE-2026-32938: SiYuan

Overview

A critical security vulnerability, identified as CVE-2026-32938, has been discovered in the SiYuan personal knowledge management software. This flaw could allow an authenticated user with access to the publish service to steal sensitive files from the desktop system where SiYuan is running. The issue is present in desktop versions 3.6.0 and below.

Vulnerability Explained

In simple terms, this vulnerability consists of two problematic functions working together. First, when pasting HTML content containing links to local files (using file://), the SiYuan desktop application improperly copies those files into its workspace without checking if the files are sensitive (like system configuration or password files). Second, the application serves these copied files via a web interface that only requires standard user authentication.

An attacker with visitor-level access to a published SiYuan workspace can craft a request that tricks the desktop kernel into copying a sensitive file from anywhere on the system into the workspace’s asset folder. The attacker can then simply request that copied file through the normal asset URL, successfully exfiltrating data that should be inaccessible.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 9.9 - CRITICAL). A successful exploit could lead to:

• Data Exfiltration: Sensitive files from the host computer, such as SSH keys, configuration files, password managers, or documents, can be stolen.
• Privacy Breach: Personal or organizational data managed within or outside of SiYuan could be compromised.
• System Compromise: Access to sensitive system files could be a stepping stone for further attacks on the host machine or network.

For context on the risks of data exposure, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The primary and only complete solution is to apply the official patch.

Immediate Action Required:

1. Update SiYuan: Upgrade your SiYuan desktop application to version 3.6.1 or later immediately. This version contains the fix that properly validates file paths against a sensitive-path list, preventing the unauthorized copying.
2. Verify Version: Confirm your installation is running version 3.6.1 or newer. The update should be obtained from the official SiYuan website or GitHub repository.

Temporary Mitigation (if update is delayed):

• Restrict Access: If you use the publish feature, consider temporarily disabling external access to published workspaces or restricting them to trusted users only until the update can be applied.
• Monitor for Updates: Stay informed on software patches by following trusted security news sources.

All users of SiYuan versions 3.6.0 and below are urged to treat this with high priority and update without delay to protect their sensitive local data.