CVE-2026-40259
Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260407035653-2f416e5253f1 | 0.0.0-20260407035653-2f416e5253f1 |
Affected products
1- Range: < 0.0.0-20260407035653-2f416e5253f1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qgggnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-7m5h-w69j-qgggghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40259ghsaADVISORY
- github.com/siyuan-note/siyuan/releases/tag/v3.6.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.