Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
SiYuan's forwardProxy endpoint allows unauthorized access to internal networks
CVE-2026-32110
GHSA-56cv-c5p2-j2wg
Summary
The SiYuan API has a security flaw that allows attackers to make unauthorized requests to internal networks, potentially exposing sensitive information. This can happen when a user makes a request to the /api/network/forwardProxy endpoint, which doesn't properly check the destination URL. To fix this, update the endpoint to validate URLs and reject requests to internal networks. In the meantime, consider restricting access to this endpoint or disabling it until the issue is fixed.
What to do
- Update github.com siyuan-note to version 3.6.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | siyuan-note | <= 3.5.9 | 3.6.0 |
| b3log | siyuan | <= 3.6.0 | – |
Original title
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint acc...
Original description
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
nvd CVSS3.1
8.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026