Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
SiYuan allows non-admin users to run database queries
CVE-2026-29073
GHSA-jqwg-75qf-vmf9
GHSA-jqwg-75qf-vmf9
Summary
SiYuan, a personal knowledge management system, had a security flaw that let any logged-in user, not just administrators, run potentially damaging SQL queries on the database. This could have allowed unauthorized changes to sensitive information. To fix the issue, update to version 3.6.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | siyuan-note | <= 0.0.0-20260113130602-4ba64580c29c | – |
| siyuan-note | github.com/siyuan-note/siyuan/kernel | <= 0.0.0-20260113130602-4ba64580c29c | – |
| b3log | siyuan | <= 3.5.9 | – |
Original title
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even ...
Original description
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
nvd CVSS4.0
5.7
Vulnerability type
CWE-89
SQL Injection
CWE-862
Missing Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026