CVE-2026-32815
Published: 19 March 2026
Summary
CVE-2026-32815 is a high-severity Improper Authentication (CWE-287) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the WebSocket endpoint, preventing unauthenticated connections that leak sensitive document metadata.
Limits and documents specific actions permitted without identification or authentication, directly countering the unintended unauthenticated access via URL parameters.
Monitors and controls communications at system boundaries, including validation of WebSocket connections to block cross-origin unauthorized access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated WebSocket access at /ws directly enables T1190 (exploiting the exposed application endpoint with no auth/origin checks). Real-time leakage of document metadata, paths, notebooks and CRUD events facilitates T1005 (data collection from local system) and T1213 (harvesting from the application's information repository).
NVD Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any…
more
external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
Deeper analysisAI
CVE-2026-32815 affects SiYuan, a personal knowledge management system, in versions 3.6.0 and prior. The vulnerability resides in the WebSocket endpoint at /ws, which permits unauthenticated connections when invoked with specific URL parameters (?app=siyuan&id=auth&type=auth). This mechanism, originally designed to maintain kernel connectivity on the login page, exposes all server push events in real-time without authentication checks. As a result, sensitive document metadata—including titles, notebook names, file paths, and CRUD operations from authenticated users—leaks to connected clients. The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-287 (Improper Authentication).
Attackers can exploit this remotely with low complexity and no privileges. Any external client, including malicious websites leveraging cross-origin WebSocket connections from a victim's browser, can connect to a local SiYuan instance lacking Origin header validation. This enables silent, real-time monitoring of the victim's note-taking activity, capturing metadata from all user interactions without detection. Exploitation requires the victim to visit a malicious site while SiYuan runs locally and exposes its WebSocket endpoint.
Mitigation is available in SiYuan version 3.6.1, which addresses the bypass. Security practitioners should upgrade immediately, as detailed in the GitHub security advisory (GHSA-xp2m-98x8-rpj6), release notes for v3.6.1, and the fixing commit (1e370e37359778c0932673e825182ff555b504a3). No additional workarounds are specified in the advisories.
Details
- CWE(s)