CVE-2026-29073

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29073 is a high-severity SQL Injection (CWE-89) vulnerability in B3Log Siyuan. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on the /api/query/sql endpoint to restrict SQL execution to admin users only, directly addressing the missing authorization vulnerability.

AC-6 Least Privilege good match

prevent

Applies least privilege to ensure reader-only users cannot access or execute arbitrary SQL queries on the database.

AC-5 Separation of Duties partial match

prevent

Defines separation of duties between reader and admin roles to prevent low-privileged users from performing high-impact database operations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Missing authorization on /api/query/sql directly enables remote exploitation of the public-facing app (T1190) by low-priv users, granting arbitrary SQL read/write/delete on the notes database. This facilitates data exfiltration from local system/DB repositories (T1005, T1213.006), stored data manipulation (T1565.001), and data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the…

database. This issue has been patched in version 3.6.0.

Deeper analysisAI

CVE-2026-29073 is a missing authorization vulnerability in SiYuan, a personal knowledge management system, affecting versions prior to 3.6.0. The /api/query/sql endpoint permits users to execute arbitrary SQL queries directly on the database but only enforces basic authentication, without checking for admin privileges. This allows any authenticated user, including those with reader-only access, to perform unrestricted database operations, mapped to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-862 (Missing Authorization).

The vulnerability can be exploited remotely (AV:N) by any low-privileged authenticated user (PR:L) with low attack complexity (AC:L) and no user interaction (UI:N), maintaining unchanged scope (S:U). Attackers achieve high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), enabling full database read, write, or delete access, such as exfiltrating sensitive notes, altering data, or disrupting service. The CVSS v3.1 base score is 8.8, indicating high severity.

The vulnerability has been patched in SiYuan version 3.6.0. Additional mitigation guidance is available in the GitHub Security Advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9.

Details

CWE(s): CWE-89 CWE-862

Affected Products

b3log

siyuan

≤ 3.5.9

CVEs Like This One

CVE-2026-32767Same product: B3Log Siyuan

CVE-2026-40259Same product: B3Log Siyuan

CVE-2026-23850Same product: B3Log Siyuan

CVE-2026-32749Same product: B3Log Siyuan

CVE-2026-33476Same product: B3Log Siyuan

CVE-2026-32938Same product: B3Log Siyuan

CVE-2025-21609Same product: B3Log Siyuan

CVE-2026-32815Same product: B3Log Siyuan

CVE-2026-30926Same product: B3Log Siyuan

CVE-2026-33669Same product: B3Log Siyuan

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-jqwg-75qf-vmf9
Exploit, Vendor Advisory · security-advisories@github.com