SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20260313024916-fd6526133bb3 | — |
Affected products
1- Range: < 3.6.1
Patches
1d5e2d0bce0df:lock: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7
1 file changed · +8 −0
kernel/api/search.go+8 −0 modified@@ -396,6 +396,14 @@ func fullTextSearchBlock(c *gin.Context) { } page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg) + + // SQL mode requires admin privileges, consistent with /api/query/sql + if method == 2 && !model.IsAdminRoleContext(c) { + ret.Code = -1 + ret.Msg = "SQL search requires administrator privileges" + return + } + blocks, matchedBlockCount, matchedRootCount, pageCount, docMode := model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize) if model.IsReadOnlyRoleContext(c) { publishAccess := model.GetPublishAccess()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j7wh-x834-p3r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32767ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/issues/17209ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.1ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.