CVE-2026-32767
Received Received - Intake
SQL Injection via Authorization Bypass in SiYuan Search API

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user β€” including those with the Reader role β€” to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32767
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32767 is a critical authorization bypass vulnerability in the SiYuan personal knowledge management system versions 3.6.0 and below. The vulnerability exists in the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. In this case, the endpoint executes user-supplied input directly as raw SQL statements on the underlying SQLite database without performing any authorization or read-only checks.

This flaw allows any authenticated user, including those with only Reader role privileges, to execute arbitrary SQL commands such as SELECT, DELETE, UPDATE, and DROP TABLE. This behavior bypasses the intended security model, where only administrators should be able to execute such SQL commands. The vulnerability arises because the vulnerable endpoint only applies basic authentication middleware (CheckAuth) but lacks the necessary role checks (CheckAdminRole and CheckReadonly) that are enforced on other SQL endpoints.

The issue was fixed in version 3.6.1 by adding proper authorization checks to restrict SQL execution to administrators.

Impact Analysis

This vulnerability can have severe impacts on confidentiality, integrity, and availability of your data and application.

  • Confidentiality: Unauthorized users with Reader role can read all database contents, including sensitive information such as blocks, assets, references, and configuration data.
  • Integrity: Unauthorized users can modify or delete any data in the database, despite their intended read-only access.
  • Availability: Unauthorized users can execute destructive SQL commands like DROP TABLE, potentially corrupting or destroying the database and rendering the application unusable.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for POST requests to the endpoint /api/search/fullTextSearchBlock with the parameter method set to 2, which allows execution of arbitrary SQL statements. An example detection method is to look for unusual or unauthorized SQL queries in the request payloads, especially from users with Reader roles.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web application firewall (WAF) logs to identify such requests. For example, using command-line tools like curl or HTTP request logs, you can search for suspicious POST requests containing JSON payloads with "method": 2 and SQL commands in the "query" field.'}, {'type': 'list_item', 'content': 'Example curl command to test if the vulnerable endpoint is accessible: curl -X POST https://your-siyuan-instance/api/search/fullTextSearchBlock -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d \'{"method":2,"query":"SELECT * FROM blocks LIMIT 1"}\''}, {'type': 'list_item', 'content': 'Check server logs or proxy logs for POST requests to /api/search/fullTextSearchBlock with method=2 and SQL statements in the payload.'}] [3]

Mitigation Strategies

The immediate mitigation step is to upgrade SiYuan to version 3.6.1 or later, where this vulnerability has been fixed by adding proper authorization checks to the /api/search/fullTextSearchBlock endpoint.

If upgrading is not immediately possible, restrict access to the vulnerable endpoint by limiting authenticated users who can access it, especially preventing Reader role users from making requests with method=2.

Additionally, consider implementing network-level controls such as firewall rules or WAF rules to block or monitor suspicious POST requests to /api/search/fullTextSearchBlock with method=2.

The official fix involves adding CheckAdminRole and CheckReadonly middleware to the vulnerable endpoint to enforce administrator-only access for SQL execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart