CVE-2026-32767
Published: 20 March 2026
Summary
CVE-2026-32767 is a critical-severity SQL Injection (CWE-89) vulnerability in B3Log Siyuan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations and access controls on endpoints like /api/search/fullTextSearchBlock, directly preventing the authorization bypass exploited by Reader-role users.
SI-10 validates user-supplied inputs to prevent SQL injection attacks when method=2 passes raw SQL directly to SQLite without sanitization.
AC-6 applies least privilege to limit the scope of damage from arbitrary SQL execution by restricting even authenticated users to necessary privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible API endpoint enables T1190 exploitation and directly facilitates arbitrary DB operations for data collection (T1213.006), manipulation (T1565.001), and destruction (T1485).
NVD Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to…
more
the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
Deeper analysisAI
SiYuan, a personal knowledge management system, contains an authorization bypass vulnerability (CVE-2026-32767) affecting versions 3.6.0 and below. The issue resides in the /api/search/fullTextSearchBlock endpoint, where setting the method parameter to 2 causes the endpoint to pass user-supplied input directly as a raw SQL statement to the underlying SQLite database. This occurs without any authorization or read-only checks, enabling SQL injection. The vulnerability stems from an inconsistency in the application's security model: while the dedicated /api/query/sql endpoint enforces CheckAdminRole and CheckReadonly middleware, the search endpoint bypasses these controls entirely. It is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 9.8 (Critical).
Any authenticated user, including those with the Reader role, can exploit this vulnerability over the network with low complexity and no user interaction. Attackers can execute arbitrary SQL statements such as SELECT, DELETE, UPDATE, and DROP TABLE against the application's database, potentially leading to complete data compromise, modification, or destruction depending on the database contents and user permissions.
The vulnerability has been fixed in SiYuan version 3.6.1, as detailed in the project's GitHub release notes, security advisory (GHSA-j7wh-x834-p3r7), associated issue tracker (#17209), and the fixing commit (d5e2d0bce0dffef5f61bd8066954bc2d41181fc5). Security practitioners should urge users to upgrade immediately and review access controls in similar endpoints.
Details
- CWE(s)