CVE-2026-32815 in SiYuan
Summary
by MITRE • 03/20/2026
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32815 affects SiYuan, a personal knowledge management system, where an insecure WebSocket endpoint design creates a critical security flaw in versions 3.6.0 and earlier. The WebSocket endpoint at /ws is intended to maintain kernel connectivity for the login page but contains a dangerous bypass mechanism that allows unauthenticated access when specific URL parameters are provided. This flaw stems from improper authentication checks that should have prevented unauthorized connections to the real-time event stream. The vulnerability is categorized under CWE-287 which deals with improper authentication mechanisms, specifically failing to properly validate user credentials before granting access to protected resources.
The technical implementation of this vulnerability allows any external client to establish WebSocket connections to the SiYuan instance without proper authentication by simply appending ?app=siyuan&id=auth&type=auth parameters to the URL. This bypass mechanism was likely intended as a temporary workaround for the login page but was not properly secured or limited in scope. The WebSocket protocol's real-time nature means that once connected, malicious actors can receive all server push events instantly, creating a continuous data leak channel. These events contain comprehensive document metadata including document titles, notebook names, file paths, and all create, read, update, and delete operations performed by authenticated users, effectively exposing the entire knowledge base content and user activity patterns.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables persistent monitoring of user activities through cross-origin WebSocket connections. The absence of Origin header validation creates a perfect storm for attacks where malicious websites can silently connect to a victim's local SiYuan instance without their knowledge or consent. This allows attackers to monitor note-taking activities, track document creation patterns, and potentially identify sensitive information being stored in the knowledge base. The real-time nature of WebSocket communication means that attackers can observe user behavior as it happens, making this vulnerability particularly dangerous for users who store confidential information in their personal knowledge management systems. This issue aligns with ATT&CK technique T1071.004 for application layer protocol usage and T1566 for credential harvesting through social engineering.
The fix implemented in version 3.6.1 addresses this vulnerability by properly enforcing authentication checks on the WebSocket endpoint and implementing proper Origin validation. The remediation likely involves adding authentication verification before allowing WebSocket connections, ensuring that only properly authenticated users can access the real-time event stream. Additionally, the fix should include proper input validation and parameter sanitization to prevent the bypass mechanism from being exploited through crafted URL parameters. Organizations using SiYuan should immediately upgrade to version 3.6.1 or later and consider implementing network-level controls to monitor for suspicious WebSocket connections. The vulnerability highlights the importance of proper authentication enforcement in real-time communication protocols and demonstrates how seemingly benign features can become security risks when not properly secured against unauthorized access attempts.