Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-30869 is a critical path traversal vulnerability in the SiYuan personal knowledge management system affecting versions prior to 3.5.10. It exists in the /export endpoint, which improperly handles URL-decoded file paths. The endpoint fails to ensure that requested files remain within the intended export directory, allowing attackers to exploit double-encoded traversal sequences (like %252e%252e which decodes to ..) to access arbitrary files on the server filesystem.'}, {'type': 'paragraph', 'content': 'By exploiting this vulnerability, attackers can read sensitive files such as conf/conf.json, which contains secrets including API tokens, cookie signing keys, and workspace access authentication codes. These leaked secrets can enable administrative access to the SiYuan kernel API and, in some deployment scenarios, may be chained to achieve remote code execution (RCE).'}, {'type': 'paragraph', 'content': "The vulnerability requires no privileges or user interaction and is facilitated by the server's overly permissive CORS policy (Access-Control-Allow-Origin: *), which allows malicious web pages to read responses from a victim’s local SiYuan instance."}] [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized disclosure of sensitive information and potential system compromise.

• Attackers can read arbitrary files on the server, including configuration files containing secrets such as API tokens and authentication codes.
• Leaked secrets may allow attackers to gain administrative access to the SiYuan kernel API.
• In certain deployment scenarios, attackers could chain this access to perform remote code execution (RCE), potentially taking full control of the affected system.
• The vulnerability requires no privileges or user interaction, making it easy to exploit remotely over the network.
• The server’s permissive CORS policy enables malicious web pages to exploit this vulnerability against local SiYuan instances.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending specially crafted HTTP GET requests to the /export endpoint using double-encoded traversal sequences and checking for successful responses that reveal sensitive files.

• Send a GET request to /export/%252e%252e/%252e%252e/conf/conf.json and check if the server responds with HTTP 200 and sensitive configuration data.
• Send a GET request to /export/%252e%252e/%252e%252e/etc/passwd to test if arbitrary files outside the export directory can be accessed.
• Use curl commands such as: curl -v http://localhost:端口/export/%252e%252e/%252e%252e/conf/conf.json to observe if sensitive data is returned.
• If sensitive tokens are leaked, test administrative API access by sending authorized requests with the leaked token, for example: POST /api/system/getNetwork with header Authorization: Token <leaked token>.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the SiYuan application to version 3.5.10 or later, where this path traversal vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the /export endpoint, especially from untrusted networks, and consider disabling or limiting CORS settings to prevent malicious web pages from accessing local SiYuan instances.

Monitor for any suspicious access patterns to the /export endpoint and revoke any leaked tokens or credentials if possible.

Useful 0 Not Useful 0