CVE-2026-23851
Path Traversal in SiYuan /api/file/globalCopyFiles Allows Unauthorized File Access
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siyuan | siyuan_note | to 3.5.4 (exc) |
| siyuan | siyuan_note | 3.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SiYuan Note versions prior to 3.5.4 is a critical arbitrary file read issue caused by improper path validation in the /api/file/globalCopyFiles endpoint. Authenticated users can provide a list of source file paths to copy files into the application's workspace. While the system checks if the files exist, it does not verify that these files are within the authorized workspace directory. This allows users to copy any file from the server's filesystem, including sensitive system files, into the workspace, bypassing directory restrictions. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive configuration and system files on the server, such as /etc/passwd or docker-compose.yml. Attackers can copy these files into the application workspace and download them, potentially exposing credentials and other confidential information. This can facilitate further attacks, possibly resulting in full infrastructure compromise and a complete loss of confidentiality of user data and the server environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the /api/file/globalCopyFiles endpoint with authenticated access, sending a JSON request containing source file paths outside the authorized workspace directory (e.g., /etc/passwd). Monitoring logs for such requests or unusual file copy activities to the workspace may also help detect exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SiYuan Note to version 3.5.4 or later, where the vulnerability has been patched. Additionally, restrict authenticated user access to trusted users only and monitor file copy operations to detect suspicious activity until the upgrade is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass directory restrictions and access sensitive system and configuration files, leading to a complete loss of confidentiality of user data and the server environment. This exposure of sensitive data could result in non-compliance with common standards and regulations such as GDPR and HIPAA, which require strict protection of personal and sensitive information. [1]