CVE-2026-23851
Unknown Unknown - Not Provided
Path Traversal in SiYuan /api/file/globalCopyFiles Allows Unauthorized File Access

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23851
EUVD
EUVD-2026-3291
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
siyuan siyuan_note to 3.5.4 (exc)
siyuan siyuan_note 3.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in SiYuan Note versions prior to 3.5.4 is a critical arbitrary file read issue caused by improper path validation in the /api/file/globalCopyFiles endpoint. Authenticated users can provide a list of source file paths to copy files into the application's workspace. While the system checks if the files exist, it does not verify that these files are within the authorized workspace directory. This allows users to copy any file from the server's filesystem, including sensitive system files, into the workspace, bypassing directory restrictions. [1]

Impact Analysis

The vulnerability can lead to unauthorized access to sensitive configuration and system files on the server, such as /etc/passwd or docker-compose.yml. Attackers can copy these files into the application workspace and download them, potentially exposing credentials and other confidential information. This can facilitate further attacks, possibly resulting in full infrastructure compromise and a complete loss of confidentiality of user data and the server environment. [1]

Detection Guidance

This vulnerability can be detected by attempting to exploit the /api/file/globalCopyFiles endpoint with authenticated access, sending a JSON request containing source file paths outside the authorized workspace directory (e.g., /etc/passwd). Monitoring logs for such requests or unusual file copy activities to the workspace may also help detect exploitation attempts. Specific commands are not provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade SiYuan Note to version 3.5.4 or later, where the vulnerability has been patched. Additionally, restrict authenticated user access to trusted users only and monitor file copy operations to detect suspicious activity until the upgrade is applied. [1]

Compliance Impact

The vulnerability allows attackers to bypass directory restrictions and access sensitive system and configuration files, leading to a complete loss of confidentiality of user data and the server environment. This exposure of sensitive data could result in non-compliance with common standards and regulations such as GDPR and HIPAA, which require strict protection of personal and sensitive information. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart