Executive Summary

CVE-2026-32704 is a vulnerability in the SiYuan personal knowledge management system versions prior to 3.6.1. It occurs because the POST endpoint /api/template/renderSprig does not enforce an administrative role check, allowing any authenticated user to execute arbitrary SQL SELECT queries on the SiYuan workspace database.

This happens because the endpoint only requires authentication but lacks the necessary admin role verification. Through this endpoint, users can run raw SQL queries that expose all note content, metadata, custom attributes, tags, block IDs, timestamps, and document hierarchy.

As a result, any authenticated user, even with low privileges, can access sensitive data belonging to other users by exploiting this missing authorization check.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of all notes and metadata stored in the SiYuan workspace database.

• Attackers can exfiltrate sensitive information such as passwords, API keys, personal data, and other confidential content.
• The confidentiality of the data is severely compromised, although integrity and availability are not affected.
• The attack complexity is low, requiring only that the attacker be an authenticated user; no additional user interaction is needed.
• In shared or enterprise environments, this vulnerability allows lower-privilege users to access data they should not have permission to see.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing whether the POST endpoint /api/template/renderSprig allows execution of arbitrary SQL queries without proper admin authorization.'}, {'type': 'paragraph', 'content': 'A practical detection method is to authenticate as a low-privilege user and send a POST request to /api/template/renderSprig with a template payload that attempts to execute a SQL query, such as counting rows in a database table.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace <API_TOKEN> and <SIYUAN_URL> accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST <SIYUAN_URL>/api/template/renderSprig -H "Authorization: Bearer <API_TOKEN>" -H "Content-Type: application/json" -d \'{"template": "{{querySQL \\"SELECT count(*) as n FROM blocks\\" | toJson}}"}\''}, {'type': 'paragraph', 'content': 'If the response returns a JSON with the count of rows, it confirms that arbitrary SQL execution is possible, indicating the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the SiYuan application to version 3.6.1 or later, where this vulnerability is fixed by adding the missing admin role check on the /api/template/renderSprig endpoint.

Until the upgrade can be performed, restrict access to the SiYuan service to trusted users only, and monitor for suspicious API requests to the /api/template/renderSprig endpoint.

Additionally, consider implementing network-level controls such as firewall rules or API gateway policies to limit access to authenticated users with appropriate privileges.

Useful 0 Not Useful 0