CVE-2026-32767
SQL Injection via Authorization Bypass in SiYuan Search API
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32767 is a critical authorization bypass vulnerability in the SiYuan personal knowledge management system versions 3.6.0 and below. The vulnerability exists in the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. In this case, the endpoint executes user-supplied input directly as raw SQL statements on the underlying SQLite database without performing any authorization or read-only checks.
This flaw allows any authenticated user, including those with only Reader role privileges, to execute arbitrary SQL commands such as SELECT, DELETE, UPDATE, and DROP TABLE. This behavior bypasses the intended security model, where only administrators should be able to execute such SQL commands. The vulnerability arises because the vulnerable endpoint only applies basic authentication middleware (CheckAuth) but lacks the necessary role checks (CheckAdminRole and CheckReadonly) that are enforced on other SQL endpoints.
The issue was fixed in version 3.6.1 by adding proper authorization checks to restrict SQL execution to administrators.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on confidentiality, integrity, and availability of your data and application.
- Confidentiality: Unauthorized users with Reader role can read all database contents, including sensitive information such as blocks, assets, references, and configuration data.
- Integrity: Unauthorized users can modify or delete any data in the database, despite their intended read-only access.
- Availability: Unauthorized users can execute destructive SQL commands like DROP TABLE, potentially corrupting or destroying the database and rendering the application unusable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for POST requests to the endpoint /api/search/fullTextSearchBlock with the parameter method set to 2, which allows execution of arbitrary SQL statements. An example detection method is to look for unusual or unauthorized SQL queries in the request payloads, especially from users with Reader roles.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web application firewall (WAF) logs to identify such requests. For example, using command-line tools like curl or HTTP request logs, you can search for suspicious POST requests containing JSON payloads with "method": 2 and SQL commands in the "query" field.'}, {'type': 'list_item', 'content': 'Example curl command to test if the vulnerable endpoint is accessible: curl -X POST https://your-siyuan-instance/api/search/fullTextSearchBlock -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d \'{"method":2,"query":"SELECT * FROM blocks LIMIT 1"}\''}, {'type': 'list_item', 'content': 'Check server logs or proxy logs for POST requests to /api/search/fullTextSearchBlock with method=2 and SQL statements in the payload.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SiYuan to version 3.6.1 or later, where this vulnerability has been fixed by adding proper authorization checks to the /api/search/fullTextSearchBlock endpoint.
If upgrading is not immediately possible, restrict access to the vulnerable endpoint by limiting authenticated users who can access it, especially preventing Reader role users from making requests with method=2.
Additionally, consider implementing network-level controls such as firewall rules or WAF rules to block or monitor suspicious POST requests to /api/search/fullTextSearchBlock with method=2.
The official fix involves adding CheckAdminRole and CheckReadonly middleware to the vulnerable endpoint to enforce administrator-only access for SQL execution.