CVE-2026-32110
Published: 11 March 2026
Summary
CVE-2026-32110 is a high-severity SSRF (CWE-918) vulnerability in B3Log Siyuan. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of URL validation in the forwardProxy endpoint by requiring checks on user-supplied inputs to block SSRF requests to internal networks, localhost, or metadata services.
Boundary protection enforces network-level restrictions to prevent the server from making unauthorized outbound requests to internal resources or sensitive endpoints during SSRF exploitation.
Mandates timely identification, reporting, and remediation of the SSRF flaw, including patching to SiYuan version 3.6.0 to eliminate the vulnerable endpoint behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public web endpoint directly enables T1190 exploitation; returns responses from localhost/internal URLs (T1005, T1213, T1046) and explicitly cloud metadata services (T1522, T1552.005).
NVD Description
SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response…
more
body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services. This vulnerability is fixed in 3.6.0.
Deeper analysisAI
CVE-2026-32110 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting SiYuan, an open-source personal knowledge management system. In versions prior to 3.6.0, the `/api/network/forwardProxy` endpoint enables authenticated users to initiate arbitrary HTTP requests from the SiYuan server itself. The endpoint accepts a user-supplied URL without any validation, allowing requests to internal networks, localhost, or cloud metadata services, and returns the full response body and headers to the user.
An attacker with authenticated access to a SiYuan instance (requiring low privileges, PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high confidentiality (C:H) and integrity (I:H) impacts, with low availability impact (A:L), yielding a CVSS v3.1 base score of 8.3. Attackers can leverage the server-side requests to access and exfiltrate data from internal services, local resources, or sensitive cloud endpoints like instance metadata, potentially enabling lateral movement or privilege escalation within the victim's infrastructure.
The official GitHub Security Advisory (GHSA-56cv-c5p2-j2wg) confirms the issue and states that it is fully resolved in SiYuan version 3.6.0, recommending immediate upgrades to mitigate the vulnerability. No additional workarounds are detailed in the provided references.
Details
- CWE(s)