CVE-2026-32110
published 2026-03-11CVE-2026-32110: SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP…
PriorityP355high8.3CVSS 3.1
AVNACLPRLUINSUCHIHAL
EPSS
0.28%
19.5th percentile
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.0 | 3.6.0 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 3.6.0 | 3.6.0 |
| siyuan-note | siyuan | < 3.6.0 | 3.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
ghsa·2026-03-12
CVE-2026-32110 [HIGH] CWE-918 SiYuan has a Full-Read SSRF via /api/network/forwardProxy
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
### Summary
The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.
### Affected Code
File: `/kernel/api/network.go` (Lines `153-317`)
```
func forwardProxy(c *gin.Context) {
ret := gulu.Ret.NewResult()
defer c.JSON(http.StatusOK, ret)
arg, ok := util.JsonArg(c, ret)
if !ok {
return
}
destURL := arg["url"].(string)
// VULNERABILITY: Only validates URL format, not destination
if _, e := url.ParseRequestURI(destURL); nil != e {
ret.Code = -1
ret.M
OSV
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
osv·2026-03-12
CVE-2026-32110 [HIGH] SiYuan has a Full-Read SSRF via /api/network/forwardProxy
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
### Summary
The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.
### Affected Code
File: `/kernel/api/network.go` (Lines `153-317`)
```
func forwardProxy(c *gin.Context) {
ret := gulu.Ret.NewResult()
defer c.JSON(http.StatusOK, ret)
arg, ok := util.JsonArg(c, ret)
if !ok {
return
}
destURL := arg["url"].(string)
// VULNERABILITY: Only validates URL format, not destination
if _, e := url.ParseRequestURI(destURL); nil != e {
ret.Code = -1
ret.M
OSV
SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel
osv·2026-03-12
CVE-2026-32110 SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel
SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel
SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/siyuan-note/siyuan/kernel before v3.6.0.
No detection rules found.
No public exploits indexed.
2026-03-11
Published