{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32767", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-03-20T00:13:31.384Z", "dateUpdated": "2026-03-20T14:42:49.764Z"}, "containers": {"cna": {"title": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}, {"name": "https://github.com/siyuan-note/siyuan/issues/17209", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/issues/17209"}, {"name": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:13:31.384Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}], "source": {"advisory": "GHSA-j7wh-x834-p3r7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:42:43.938307Z", "id": "CVE-2026-32767", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:49.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32767", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:42:43.938307Z"}}}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:29.289Z"}}], "cna": {"title": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API", "source": {"advisory": "GHSA-j7wh-x834-p3r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.6.1"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siyuan-note/siyuan/issues/17209", "name": "https://github.com/siyuan-note/siyuan/issues/17209", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "name": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:13:31.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32767", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:42:49.764Z", "dateReserved": "2026-03-13T18:53:03.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T00:13:31.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}], "id": "CVE-2026-32767", "lastModified": "2026-03-20T15:16:17.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:55.597", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"}, {"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/issues/17209"}, {"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-03-20T02:50:52.880995+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Siyuan v3.6.1 or later.", "Verify that the deployed instance has the updated version; if an upgrade is not feasible immediately, restrict authenticated access to the system or consider disabling the /api/search/fullTextSearchBlock endpoint until a patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "All installations of the siyuan-note:siyuan product running version 3.6.0 or earlier are affected. The problem was corrected in version 3.6.1, which restores the required CheckAdminRole and CheckReadonly middleware on the search endpoint.", "description_and_impact": "SiYuan is a personal knowledge management system that now has a severe vulnerability affecting its search API. The /api/search/fullTextSearchBlock endpoint incorrectly processes the method parameter value of 2, forwarding user input directly to the underlying SQLite database as a raw SQL command. This bypasses the application\u2019s standard authorization mechanisms and allows any authenticated user\u2014including those with the Reader role\u2014to execute arbitrary SQL statements such as SELECT, DELETE, UPDATE, and DROP TABLE. The weakness is characterized by CWE\u2011863 (Incorrect Authorization) and CWE\u201189 (Improper Neutralization of Special Elements used in an SQL Command), and can lead to data loss, tampering, or disclosure of sensitive information.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, indicating a critical severity. EPSS data is not available, and it is not listed in the CISA KEV catalog, but its exploitation does not require elevated privileges beyond normal user authentication. Any compromised or weakly protected account can exploit the bypass to compromise the entire database, posing a high risk to confidentiality, integrity, and availability."}}}}, "created": "2026-03-20T08:54:10.810818+00:00", "updated": "2026-03-20T10:43:37.804815+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}