cbcvebase.
CVE-2026-34453
published 2026-03-31

CVE-2026-34453: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to…

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.23%
65.1th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
b3logsiyuan< 3.6.23.6.2
github.comsiyuan-note_siyuan_kernel>= 0 < 3.6.23.6.2
siyuan-notesiyuan< 3.6.23.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/bookmark/getBookmark
  • Unauthenticated POST request to /api/bookmark/getBookmark with an empty JSON body ({}) returns HTTP 200 with 'code':0, 'type':'bookmark', and 'blocks' fields — indicating successful bypass of publish password protection.
  • Response body contains all three strings: '"code":0', '"type":"bookmark"', and '"blocks"' simultaneously, confirming bookmarked blocks from protected documents are exposed.
  • Affected versions are SiYuan <= 3.6.1; presence of a valid version response from /api/system/version can be used to confirm the vulnerable version range before exploitation check.
  • The root cause is FilterBlocksByPublishAccess receiving a nil context, which skips the publish password check and treats the caller as authorized — look for nil context passed to this filter in code review.
  • ·Exploitation requires at least one block in a password-protected document to be bookmarked; documents with no bookmarked blocks are not exposed via this endpoint.
  • ·The vulnerability is only exploitable when the SiYuan publish/read-only service is exposed; instances not running the publish service are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.