CVE-2026-30926
Published: 10 March 2026
Summary
CVE-2026-30926 is a high-severity Improper Access Control (CWE-284) vulnerability in B3Log Siyuan. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-30926 is a privilege escalation vulnerability in SiYuan, a personal knowledge management system also known as SiYuan Note. Affecting versions prior to 3.5.10, the issue resides in the publish service, specifically the /api/block/appendHeadingChildren API endpoint. This endpoint performs only a basic model.CheckAuth role check, which permits RoleReader sessions, without enforcing stricter authorization such as CheckAdminRole or CheckReadonly. As a result, low-privilege users can append new blocks to existing documents, leading to improper access control (CWE-284, CWE-862). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
An attacker with a remote authenticated RoleReader account in the publish service can exploit this vulnerability without user interaction. By sending crafted requests to the vulnerable API endpoint, they can modify notebook content by appending headings or child blocks, thereby compromising the integrity of stored notes despite read-only privileges.
The GitHub Security Advisory (GHSA-f9cq-v43p-v523) details the issue and recommends upgrading to SiYuan version 3.5.10 or later, where the authorization checks have been strengthened to prevent unauthorized modifications.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10393
Vulnerability details
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires…
more
only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE is explicitly a privilege escalation vulnerability due to missing authorization checks (only basic CheckAuth allowing RoleReader), enabling low-priv authenticated users to perform unauthorized modifications via the /api/block/appendHeadingChildren endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce authorized access at the /api/block/appendHeadingChildren endpoint instead of accepting RoleReader sessions for modification operations.
Mandates that publish accounts receive only the privileges needed for read-only duties, preventing RoleReader sessions from reaching modification APIs.
Requires explicit access-control decisions (e.g., CheckAdminRole or CheckReadonly) rather than relying solely on the weaker model.CheckAuth check.