CVE-2026-32750
Insecure File Import in SiYuan Allows Unauthorized Data Access
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in SiYuan personal knowledge management system versions 3.6.0 and below. It occurs because the POST /api/import/importStdMd endpoint accepts a localPath parameter without any validation. This parameter is passed directly to the function ImportFromLocalPath, which recursively reads every file under the specified path and stores their content permanently as SiYuan note documents in the workspace database.
As a result, all files under the given path become searchable and accessible to all workspace users, including Publish Service Reader accounts. This means sensitive data can be exposed. Additionally, when combined with a separate SQL injection vulnerability (renderSprig), a non-admin user can read all imported secrets without needing extra privileges. The issue was fixed in version 3.6.1.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive files on the system where SiYuan is running. Because the contents of files under the specified path are imported and stored in the workspace database, all workspace users, including those with limited privileges, can access potentially confidential information.
Furthermore, when combined with another SQL injection vulnerability, even non-admin users can read all imported secrets without additional privileges, increasing the risk of data leakage and compromise of sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed in SiYuan version 3.6.1. The immediate step to mitigate this vulnerability is to upgrade SiYuan to version 3.6.1 or later.