SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20260313024916-fd6526133bb3 | — |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/siyuan-note/siyuan/kernelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
<= 0.0.0-20260313024916-fd6526133bb3+ 1 more
- (no CPE)range: <= 0.0.0-20260313024916-fd6526133bb3
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: < 3.6.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xp2m-98x8-rpj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32815ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.1ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.