CVE-2026-29073 in SiYuan
Summary
by MITRE • 03/06/2026
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-29073 affects SiYuan, a personal knowledge management system that has been widely adopted for organizing and storing personal information. This flaw represents a critical authorization bypass issue that fundamentally undermines the application's security model by allowing unauthorized database access through a direct sql injection vector. The vulnerability exists in the /api/query/sql endpoint which was designed to provide database query capabilities but failed to implement proper administrative privilege verification. Prior to version 3.6.0, the system only validated basic authentication credentials without verifying whether the requesting user possessed administrative privileges necessary for executing database queries. This design flaw creates a significant security gap where any authenticated user regardless of their role within the system can execute arbitrary sql commands against the underlying database.
The technical nature of this vulnerability aligns with CWE-285, which addresses insufficient authorization issues in software systems. The flaw demonstrates a classic case of privilege escalation through improper access control mechanisms, where the application fails to enforce proper role-based access controls. The system's authentication mechanism correctly identifies users but fails to maintain proper authorization boundaries, allowing users with read-only access to escalate their privileges through sql command execution. This misconfiguration enables attackers to perform data manipulation, data extraction, and potentially system compromise through malicious sql injection attacks. The vulnerability's impact extends beyond simple data access as it provides attackers with the ability to modify or delete database records, potentially leading to complete system compromise or data destruction.
Operationally, this vulnerability creates severe implications for users of SiYuan who may be storing sensitive personal or professional information within their knowledge management system. The ability for any logged-in user to execute arbitrary sql queries means that unauthorized individuals can access, modify, or delete database content without proper authorization. This affects not only the confidentiality and integrity of stored information but also potentially compromises the availability of the system. Attackers could leverage this vulnerability to extract sensitive data, inject malicious content, or perform destructive operations on the database. The impact is particularly concerning in environments where SiYuan is used for storing personal information, business documents, or other sensitive materials that require proper access controls and data protection measures.
The fix implemented in version 3.6.0 addresses this vulnerability by introducing proper administrative privilege validation before allowing sql query execution. This remediation aligns with established security best practices for access control and privilege management, ensuring that only users with appropriate administrative rights can execute database queries through the api endpoint. Organizations using SiYuan should immediately upgrade to version 3.6.0 or later to mitigate this risk. Additional security measures such as network segmentation, monitoring of api endpoint usage, and regular security assessments should be implemented to provide defense-in-depth protection. The vulnerability also highlights the importance of proper input validation and access control implementation, particularly in applications that handle sensitive data and provide database query capabilities to users. This issue serves as a reminder of the critical importance of implementing proper authorization checks and following the principle of least privilege in all system components that interact with databases or perform administrative functions.