CVE-2026-32938
Received Received - Intake
Path Traversal in SiYuan Desktop Allows Sensitive File Exfiltration

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32938 is a critical vulnerability in the SiYuan personal knowledge management system versions 3.6.0 and below. It involves the /api/lute/html2BlockDOM endpoint, which processes pasted HTML containing file:// links by copying the referenced local files into the workspace assets directory without validating whether these files are sensitive or not.

Because the endpoint only requires basic authentication and lacks proper authorization checks, an attacker can supply HTML with links to any readable local file, causing the system to copy sensitive files such as /etc/passwd or SSH keys into the assets directory.

These copied files can then be accessed and read via the GET /assets/*path endpoint, which also only requires basic authentication and does not restrict access, enabling an attacker to exfiltrate sensitive files from the system.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with only basic authentication to read any sensitive file accessible by the desktop user's process, including critical system files and credential data."}, {'type': 'list_item', 'content': 'Confidentiality is severely compromised as sensitive files like system account data, network configurations, and private keys can be exfiltrated.'}, {'type': 'list_item', 'content': 'Integrity is impacted because the attacker can potentially influence the system by reading sensitive information.'}, {'type': 'list_item', 'content': 'Availability is also affected due to the high severity of the vulnerability and potential for exploitation.'}, {'type': 'paragraph', 'content': 'Overall, the vulnerability enables unauthorized file access and data leakage, posing a critical risk to the security and privacy of the affected system.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the POST /api/lute/html2BlockDOM endpoint copying local files referenced by file:// links into the workspace assets directory without proper path validation, and the GET /assets/*path endpoint allowing access to these copied files with only basic authentication.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests to these endpoints for suspicious activity such as POST requests containing HTML with file:// links and subsequent GET requests to /assets/ paths that may indicate file exfiltration.'}, {'type': 'list_item', 'content': 'Use web server or application logs to search for POST requests to /api/lute/html2BlockDOM containing file:// URLs.'}, {'type': 'list_item', 'content': 'Check for GET requests to /assets/* paths that may correspond to sensitive files being accessed.'}, {'type': 'list_item', 'content': 'Example command to search logs for suspicious POST requests (assuming logs in access.log):'}, {'type': 'list_item', 'content': "grep -i 'POST /api/lute/html2BlockDOM' access.log | grep 'file://'"}, {'type': 'list_item', 'content': 'Example command to find GET requests to assets directory:'}, {'type': 'list_item', 'content': "grep 'GET /assets/' access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for warning logs generated by the updated application that indicate skipping copying of sensitive paths (e.g., messages like "skip copying asset [...] due to sensitive path") can help detect attempts to access sensitive files.'}] [1, 2]

Mitigation Strategies

The primary mitigation is to upgrade the SiYuan application to version 3.6.1 or later, where this vulnerability has been fixed.

The fix includes enhanced authorization checks on the POST /api/lute/html2BlockDOM endpoint, restricting access to administrative roles and readonly mode, and implementing sensitive path detection to prevent copying of files from critical system directories.

If immediate upgrade is not possible, consider restricting access to the affected endpoints by network controls or firewall rules to limit access only to trusted users.

Monitor logs for suspicious activity as described, and revoke or limit user privileges to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart