CVE-2026-59832
Deferred Deferred - Pending Action

SiYuan Path Traversal Vulnerability Allows File Access

Vulnerability report for CVE-2026-59832, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/*filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticated request such as /snippets/%2e%2e/%2e%2e/conf/conf.json to read workspace secrets and the document database. This issue is fixed in versions 3.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
siyuan 3.7.1 *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.1. The issue is in the /snippets/*filepath route handler, where the server joins a decoded request path with the snippets directory without properly checking for subpath containment or sensitive paths.

Because of this, an authenticated user can craft a request such as /snippets/%2e%2e/%2e%2e/conf/conf.json to access files outside the intended snippets directory, including workspace secrets and the document database.

This vulnerability allows unauthorized reading of sensitive files by bypassing path restrictions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored within the SiYuan system, such as workspace secrets and the document database.

An attacker with authenticated access could exploit this flaw to read confidential data that should be protected, potentially leading to data breaches or leakage of private information.

The CVSS score of 7.7 indicates a high severity impact, emphasizing the risk of confidentiality loss.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.1 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows an authenticated user to read workspace secrets and the document database by exploiting a path traversal issue. Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the exposure of workspace secrets and document databases may result in breaches of confidentiality and data integrity requirements mandated by these standards, potentially causing non-compliance and legal consequences.

Detection Guidance

This vulnerability can be detected by attempting to access sensitive files via the vulnerable `/snippets/*filepath` route using path traversal sequences in the URL. Since the flaw allows authenticated users to bypass path restrictions, you can test by sending authenticated HTTP GET requests with encoded traversal paths.

  • Use curl or similar tools to send requests like: `curl -i -H "Authorization: Bearer <token>" "http://<target>/snippets/%2e%2e/%2e%2e/conf/conf.json"` to check if the configuration file is accessible.
  • Similarly, test access to the database file with: `curl -i -H "Authorization: Bearer <token>" "http://<target>/snippets/%2e%2e/%2e%2e/temp/siyuan.db"`.

If these requests return the contents of the files, it indicates the presence of the path traversal vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart