Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
SiYuan: Low-privilege users can modify sensitive notebook content
GHSA-f9cq-v43p-v523
CVE-2026-30926
GHSA-f9cq-v43p-v523
Summary
A security issue affects SiYuan's publish service, allowing users with limited access to alter notebook content. This could compromise the integrity of stored notes. Update to version 3.5.10 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | siyuan-note | <= 0.0.0-20260304035530-d03ebdec8279 | – |
| siyuan-note | github.com/siyuan-note/siyuan/kernel | <= 0.0.0-20260304035530-d03ebdec8279 | – |
| b3log | siyuan | <= 3.5.10 | – |
Original title
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (Role...
Original description
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-284
Improper Access Control
CWE-862
Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026