CVE-2026-30869 in SiYuan
Summary
by MITRE • 03/10/2026
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE). This vulnerability is fixed in 3.5.10.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
The vulnerability CVE-2026-30869 represents a critical path traversal flaw in SiYuan, a personal knowledge management system that has gained significant traction among users seeking secure note-taking and document management solutions. This vulnerability specifically affects versions prior to 3.5.10 and resides within the /export endpoint of the application's web interface. The flaw enables attackers to bypass normal file access controls and retrieve arbitrary files from the server's filesystem through carefully crafted requests that exploit double-encoded traversal sequences.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the file path handling logic of the export functionality. When the application processes requests to the /export endpoint, it fails to properly validate or sanitize user-supplied path parameters, allowing malicious actors to inject directory traversal sequences such as ../ or %2e%2e%2f. These double-encoded sequences bypass basic security filters and enable attackers to navigate outside the intended directory boundaries. The vulnerability's exploitation is particularly concerning because it can be chained with other techniques to achieve more severe outcomes, making it a significant threat to system integrity.
The operational impact of this vulnerability extends far beyond simple information disclosure, as the exposed files contain critical system secrets that could grant attackers substantial control over the application's functionality. The conf/conf.json configuration file, when accessed through this vulnerability, reveals sensitive credentials including API tokens, cookie signing keys, and workspace access authentication codes. These secrets form the foundation of the application's security model and, when compromised, can enable attackers to gain administrative access to the SiYuan kernel API. This administrative access represents a complete compromise of the application's security boundaries, potentially allowing attackers to modify or delete user content, access other users' data, or manipulate the application's core functionality.
The potential for remote code execution in certain deployment scenarios makes this vulnerability particularly dangerous from a cybersecurity perspective. When attackers can obtain administrative access through API token compromise, they may be able to leverage additional vulnerabilities or misconfigurations to achieve full system compromise. This chaining potential aligns with common attack patterns documented in the MITRE ATT&CK framework, specifically relating to privilege escalation and persistence techniques. The vulnerability's classification as a path traversal issue maps directly to CWE-22, which describes the weakness of allowing untrusted input to influence the path of file access operations.
Organizations using SiYuan should prioritize immediate remediation by upgrading to version 3.5.10 or later, which implements proper input validation and sanitization measures to prevent directory traversal attacks. Additional mitigations include implementing web application firewalls with path traversal detection capabilities, restricting file access permissions on the server, and monitoring for suspicious access patterns in application logs. The vulnerability demonstrates the critical importance of input validation in web applications and serves as a reminder that seemingly simple functionality like file exports can become attack vectors when proper security controls are not implemented. Security teams should also conduct thorough reviews of other endpoints in the application for similar path traversal vulnerabilities and implement comprehensive security testing procedures to identify and remediate such issues before they can be exploited by malicious actors.