CVE-2026-40259
published 2026-04-16CVE-2026-40259: SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by…
PriorityP351high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.40%
31.8th percentile
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.6.4 | 3.6.4 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260407035653-2f416e5253f1 | 0.0.0-20260407035653-2f416e5253f1 |
| siyuan-note | siyuan | < 0.0.0-20260407035653-2f416e5253f1 | 0.0.0-20260407035653-2f416e5253f1 |
| siyuan-note | siyuan | < 3.6.4 | 3.6.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.3 removeUnusedAttributeView ID improper authorization (GHSA-7m5h-w69j-qggg / CNNVD-202604-3430)
vuldb·2026-04-18·CVSS 8.1
CVE-2026-40259 [HIGH] SiYuan up to 3.6.3 removeUnusedAttributeView ID improper authorization (GHSA-7m5h-w69j-qggg / CNNVD-202604-3430)
A vulnerability classified as critical was found in SiYuan up to 3.6.3. Affected is an unknown function of the file /api/av/removeUnusedAttributeView. Executing a manipulation of the argument ID can lead to improper authorization.
The identification of this vulnerability is CVE-2026-40259. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
ghsa·2026-04-10
CVE-2026-40259 [HIGH] CWE-285 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
## Summary
An authenticated publish-service reader can invoke `/api/av/removeUnusedAttributeView` and cause persistent deletion of arbitrary attribute view (`AV`) definition files from the workspace.
The route is protected only by generic `CheckAuth`, which accepts publish `RoleReader` requests. The handler forwards a caller-controlled `id` directly into a model function that deletes `data/storage/av/.json` without verifying either:
- that the caller is allowed to perform write/destructive actions; or
- that the target AV is actually unused.
This is a persistent integrity and availability issue reachable from the publish surface.
## Root Cause
### 1. Publish users are issued a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published