CVE-2026-54069
published 2026-06-24CVE-2026-54069: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension://…
PriorityP264critical9.2CVSS 4.0
AVNACHATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.61%
44.6th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts by monitoring HTTP requests to /api/system/getConf (or any /api/* endpoint) on port 6806 that carry an Origin header matching the pattern chrome-extension://* — these should not receive RoleAdministrator access without a valid token. ↗
- →Alert on HTTP 200 responses from the SiYuan kernel API (port 6806) returning JSON body containing '"code":0' alongside '"conf"', '"system"', and '"kernelVersion"' fields in response to unauthenticated requests bearing a chrome-extension:// Origin header. ↗
- →Flag SiYuan instances with a default empty AccessAuthCode on desktop installs, as these are trivially exploitable by any request with a spoofed chrome-extension:// Origin header. ↗
- →Use Shodan/FOFA queries to identify exposed SiYuan instances: Shodan title:"SiYuan", FOFA title="SiYuan" || body="siyuan". ↗
- ·The vulnerability only affects SiYuan Note versions up to and including 3.6.5 (prior to 3.7.0). Instances already upgraded to 3.7.0 or later are not affected. ↗
- ·The bypass is most impactful on desktop installs where the AccessAuthCode is empty by default; instances with a configured non-empty AccessAuthCode still have the Origin trust issue but the empty-token condition is not met. ↗
- ·The Origin header value chrome-extension:// can be trivially spoofed in non-browser HTTP clients; the bypass is not limited to actual browser extensions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
SiYuan Note <= 3.6.5 - Authentication Bypass
nuclei·CVSS 9.1
CVE-2026-54069 SiYuan Note <= 3.6.5 - Authentication Bypass
SiYuan Note <= 3.6.5 - Authentication Bypass
SiYuan Note 3.6.5 and prior is vulnerable to authentication bypass. The CheckAuth middleware unconditionally trusted all chrome-extension:// origins, granting RoleAdministrator access without token validation to any request with a spoofed Origin header. Fixed in v3.7.0.
Template:
id: CVE-2026-54069
info:
name: SiYuan Note <= 3.6.5 - Authentication Bypass
author: 0x_Akoko
severity: high
description: |
SiYuan Note 3.6.5 and prior is vulnerable to authentication bypass. The CheckAuth middleware unconditionally trusted all chrome-extension:// origins, granting RoleAdministrator access without token validation to any request with a spoofed Origin header. Fixed in v3.7.0.
impact: |
Attackers can access all admin API endpoints, enabling full data e
No writeups or analysis indexed.
2026-06-24
Published