cbcvebase.
CVE-2026-54069
published 2026-06-24

CVE-2026-54069: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension://…

PriorityP264critical9.2CVSS 4.0
AVNACHATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.61%
44.6th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
siyuan-notesiyuan< 3.7.03.7.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/system/getConf
ip127.0.0.1:6806
port6806
otherOrigin: chrome-extension://auth-test
  • Detect authentication bypass attempts by monitoring HTTP requests to /api/system/getConf (or any /api/* endpoint) on port 6806 that carry an Origin header matching the pattern chrome-extension://* — these should not receive RoleAdministrator access without a valid token.
  • Alert on HTTP 200 responses from the SiYuan kernel API (port 6806) returning JSON body containing '"code":0' alongside '"conf"', '"system"', and '"kernelVersion"' fields in response to unauthenticated requests bearing a chrome-extension:// Origin header.
  • Flag SiYuan instances with a default empty AccessAuthCode on desktop installs, as these are trivially exploitable by any request with a spoofed chrome-extension:// Origin header.
  • Use Shodan/FOFA queries to identify exposed SiYuan instances: Shodan title:"SiYuan", FOFA title="SiYuan" || body="siyuan".
  • ·The vulnerability only affects SiYuan Note versions up to and including 3.6.5 (prior to 3.7.0). Instances already upgraded to 3.7.0 or later are not affected.
  • ·The bypass is most impactful on desktop installs where the AccessAuthCode is empty by default; instances with a configured non-empty AccessAuthCode still have the Origin trust issue but the empty-token condition is not met.
  • ·The Origin header value chrome-extension:// can be trivially spoofed in non-browser HTTP clients; the bypass is not limited to actual browser extensions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.