Cyber Resilience

CVE-2026-30926

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0002 4.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30926 is a high-severity Improper Access Control (CWE-284) vulnerability in B3Log Siyuan. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-30926 is a privilege escalation vulnerability in SiYuan, a personal knowledge management system also known as SiYuan Note. Affecting versions prior to 3.5.10, the issue resides in the publish service, specifically the /api/block/appendHeadingChildren API endpoint. This endpoint performs only a basic model.CheckAuth role check, which permits RoleReader sessions, without enforcing stricter authorization such as CheckAdminRole or CheckReadonly. As a result, low-privilege users can append new blocks to existing documents, leading to improper access control (CWE-284, CWE-862). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

An attacker with a remote authenticated RoleReader account in the publish service can exploit this vulnerability without user interaction. By sending crafted requests to the vulnerable API endpoint, they can modify notebook content by appending headings or child blocks, thereby compromising the integrity of stored notes despite read-only privileges.

The GitHub Security Advisory (GHSA-f9cq-v43p-v523) details the issue and recommends upgrading to SiYuan version 3.5.10 or later, where the authorization checks have been strengthened to prevent unauthorized modifications.

EU & UK References

Vulnerability details

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires…

more

only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE is explicitly a privilege escalation vulnerability due to missing authorization checks (only basic CheckAuth allowing RoleReader), enabling low-priv authenticated users to perform unauthorized modifications via the /api/block/appendHeadingChildren endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29073Same product: B3Log Siyuan
CVE-2026-32938Same product: B3Log Siyuan
CVE-2026-34448Same product: B3Log Siyuan
CVE-2026-30869Same product: B3Log Siyuan
CVE-2026-33067Same product: B3Log Siyuan
CVE-2026-34585Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-32749Same product: B3Log Siyuan
CVE-2026-23852Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.5.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce authorized access at the /api/block/appendHeadingChildren endpoint instead of accepting RoleReader sessions for modification operations.

prevent

Mandates that publish accounts receive only the privileges needed for read-only duties, preventing RoleReader sessions from reaching modification APIs.

prevent

Requires explicit access-control decisions (e.g., CheckAdminRole or CheckReadonly) rather than relying solely on the weaker model.CheckAuth check.

References