CVE-2026-32938
Path Traversal in SiYuan Desktop Allows Sensitive File Exfiltration
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32938 is a critical vulnerability in the SiYuan personal knowledge management system versions 3.6.0 and below. It involves the /api/lute/html2BlockDOM endpoint, which processes pasted HTML containing file:// links by copying the referenced local files into the workspace assets directory without validating whether these files are sensitive or not.
Because the endpoint only requires basic authentication and lacks proper authorization checks, an attacker can supply HTML with links to any readable local file, causing the system to copy sensitive files such as /etc/passwd or SSH keys into the assets directory.
These copied files can then be accessed and read via the GET /assets/*path endpoint, which also only requires basic authentication and does not restrict access, enabling an attacker to exfiltrate sensitive files from the system.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with only basic authentication to read any sensitive file accessible by the desktop user's process, including critical system files and credential data."}, {'type': 'list_item', 'content': 'Confidentiality is severely compromised as sensitive files like system account data, network configurations, and private keys can be exfiltrated.'}, {'type': 'list_item', 'content': 'Integrity is impacted because the attacker can potentially influence the system by reading sensitive information.'}, {'type': 'list_item', 'content': 'Availability is also affected due to the high severity of the vulnerability and potential for exploitation.'}, {'type': 'paragraph', 'content': 'Overall, the vulnerability enables unauthorized file access and data leakage, posing a critical risk to the security and privacy of the affected system.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the POST /api/lute/html2BlockDOM endpoint copying local files referenced by file:// links into the workspace assets directory without proper path validation, and the GET /assets/*path endpoint allowing access to these copied files with only basic authentication.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests to these endpoints for suspicious activity such as POST requests containing HTML with file:// links and subsequent GET requests to /assets/ paths that may indicate file exfiltration.'}, {'type': 'list_item', 'content': 'Use web server or application logs to search for POST requests to /api/lute/html2BlockDOM containing file:// URLs.'}, {'type': 'list_item', 'content': 'Check for GET requests to /assets/* paths that may correspond to sensitive files being accessed.'}, {'type': 'list_item', 'content': 'Example command to search logs for suspicious POST requests (assuming logs in access.log):'}, {'type': 'list_item', 'content': "grep -i 'POST /api/lute/html2BlockDOM' access.log | grep 'file://'"}, {'type': 'list_item', 'content': 'Example command to find GET requests to assets directory:'}, {'type': 'list_item', 'content': "grep 'GET /assets/' access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for warning logs generated by the updated application that indicate skipping copying of sensitive paths (e.g., messages like "skip copying asset [...] due to sensitive path") can help detect attempts to access sensitive files.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the SiYuan application to version 3.6.1 or later, where this vulnerability has been fixed.
The fix includes enhanced authorization checks on the POST /api/lute/html2BlockDOM endpoint, restricting access to administrative roles and readonly mode, and implementing sensitive path detection to prevent copying of files from critical system directories.
If immediate upgrade is not possible, consider restricting access to the affected endpoints by network controls or firewall rules to limit access only to trusted users.
Monitor logs for suspicious activity as described, and revoke or limit user privileges to reduce the risk of exploitation.