CVE-2026-33203
published 2026-03-20CVE-2026-33203: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.50%
38.9th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.2 | 3.6.2 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 3.6.2 | 3.6.2 |
| siyuan-note | siyuan | < 3.6.2 | 3.6.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass in github.com/siyuan-note/siyuan/kernel
osv·2026-03-23
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass in github.com/siyuan-note/siyuan/kernel
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass in github.com/siyuan-note/siyuan/kernel
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass in github.com/siyuan-note/siyuan/kernel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/siyuan-note/siyuan/kernel before v3.6.2.
GHSA
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
ghsa·2026-03-18
CVE-2026-33203 [HIGH] CWE-248 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
## Summary
The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.
A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.
## Details
**1. Authentication Bypass via Keepalive Query**
Unauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.
**File: kernel/server/serve.go**
```
if !authOk {
authOk = strings.Contains(s.Request.RequestURI, "/ws?app=siyuan") &&
strings.Conta
OSV
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
osv·2026-03-18
CVE-2026-33203 [HIGH] SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
## Summary
The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.
A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.
## Details
**1. Authentication Bypass via Keepalive Query**
Unauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.
**File: kernel/server/serve.go**
```
if !authOk {
authOk = strings.Contains(s.Request.RequestURI, "/ws?app=siyuan") &&
strings.Conta
No detection rules found.
No public exploits indexed.
2026-03-20
Published