{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34453", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-03-31T21:43:32.138Z", "dateUpdated": "2026-04-01T15:53:02.043Z"}, "containers": {"cna": {"title": "SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q"}, {"name": "https://github.com/siyuan-note/siyuan/issues/17246", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/issues/17246"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:43:32.138Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2."}], "source": {"advisory": "GHSA-c77m-r996-jr3q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:30:20.251585Z", "id": "CVE-2026-34453", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:53:02.043Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9", "versionEndExcluding": "3.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2."}], "id": "CVE-2026-34453", "lastModified": "2026-04-03T16:53:22.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T22:16:20.483", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/siyuan-note/siyuan/issues/17246"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.2)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-04-03T20:24:35.487324+00:00", "value": {"mitigation_remediation": ["Upgrade SiYuan to version\u202f3.6.2 or later, which removes the authentication bypass in the bookmark API.", "After upgrading, verify that accessing /api/bookmark/getBookmark no longer returns content from protected documents.", "If an upgrade is not immediately possible, disable the publish feature or remove bookmarks from protected documents until the fix is applied, and monitor logs for evidence of unauthorized reads."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects the SiYuan personal knowledge\u2011management application, specifically all releases prior to version\u202f3.6.2. Attackers only need access to the publish service exposed by a SiYuan instance. The issue is tied to the bookmark API, so Siyuan products that offer host\u2011based publish read\u2011only mode are impacted.", "description_and_impact": "This vulnerability arises from a broken access control in SiYuan's publish API endpoint /api/bookmark/getBookmark. Because the filter does not enforce the publish password when the request context is nil, an unauthenticated visitor can retrieve bookmarked blocks from documents that are otherwise password\u2011protected. The result is that sensitive content can be read by anyone who can reach the publish service, leading to a confidentiality breach. The weakness is a classic example of CWE\u2011863: Missing Authorization.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high severity, and the EPSS value of 7\u202f% suggests a modest but realistic likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits are publicly documented. Exploitation requires network access to the publish endpoint and the presence of at least one bookmark in a protected document; no special authentication is needed, making the attack path straightforward for an attacker with internet exposure to the service."}}}}, "created": "2026-04-02T07:52:05.092297+00:00", "updated": "2026-04-03T21:17:27.749362+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}