CVE-2026-30926

HighPublic PoC

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0001 2.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30926 is a high-severity Improper Access Control (CWE-284) vulnerability in B3Log Siyuan. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures

addresses: CWE-284 CWE-862

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

AC-13 Supervision and Review — Access Control

addresses: CWE-284 CWE-862

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

AC-14 Permitted Actions Without Identification or Authentication

addresses: CWE-284 CWE-862

Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.

AC-16 Security and Privacy Attributes

addresses: CWE-284 CWE-862

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

AC-17 Remote Access

addresses: CWE-284 CWE-862

Requiring prior authorization for each remote access type prevents improper access control over remote connections.

AC-18 Wireless Access

addresses: CWE-284 CWE-862

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

AC-19 Access Control for Mobile Devices

addresses: CWE-284 CWE-862

Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.

AC-2 Account Management

addresses: CWE-284 CWE-862

Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE is explicitly a privilege escalation vulnerability due to missing authorization checks (only basic CheckAuth allowing RoleReader), enabling low-priv authenticated users to perform unauthorized modifications via the /api/block/appendHeadingChildren endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires…

only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.

Deeper analysisAI

CVE-2026-30926 is a privilege escalation vulnerability in SiYuan, a personal knowledge management system also known as SiYuan Note. Affecting versions prior to 3.5.10, the issue resides in the publish service, specifically the /api/block/appendHeadingChildren API endpoint. This endpoint performs only a basic model.CheckAuth role check, which permits RoleReader sessions, without enforcing stricter authorization such as CheckAdminRole or CheckReadonly. As a result, low-privilege users can append new blocks to existing documents, leading to improper access control (CWE-284, CWE-862). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

An attacker with a remote authenticated RoleReader account in the publish service can exploit this vulnerability without user interaction. By sending crafted requests to the vulnerable API endpoint, they can modify notebook content by appending headings or child blocks, thereby compromising the integrity of stored notes despite read-only privileges.

The GitHub Security Advisory (GHSA-f9cq-v43p-v523) details the issue and recommends upgrading to SiYuan version 3.5.10 or later, where the authorization checks have been strengthened to prevent unauthorized modifications.

Details

CWE(s): CWE-284 CWE-862

Affected Products

b3log

siyuan

≤ 3.5.10

CVEs Like This One

CVE-2026-29073Same product: B3Log Siyuan

CVE-2026-32938Same product: B3Log Siyuan

CVE-2026-33670Same product: B3Log Siyuan

CVE-2026-25992Same product: B3Log Siyuan

CVE-2026-40259Same product: B3Log Siyuan

CVE-2026-34585Same product: B3Log Siyuan

CVE-2026-29183Same product: B3Log Siyuan

CVE-2026-34448Same product: B3Log Siyuan

CVE-2026-32751Same product: B3Log Siyuan

CVE-2026-40322Same product: B3Log Siyuan

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0