CVE-2026-32938
Published: 20 March 2026
Summary
CVE-2026-32938 is a critical-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of path validation in /api/lute/html2BlockDOM by requiring validation of pasted HTML file:// links to block access to sensitive local files.
Enforces controls on information flows to prevent copying of sensitive local files into the network-accessible workspace assets directory.
Prevents unauthorized transfer of sensitive information into shared system resources like the assets directory that are retrievable via authenticated GET requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote exploitation of a public-facing endpoint (T1190) in SiYuan to copy and exfiltrate arbitrary local sensitive files (T1005) via improper path validation on file:// links.
NVD Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list.…
more
Together with GET /assets/*path, which only requires authentication, a publish-service visitor can cause the desktop kernel to copy any readable sensitive file and then read it via GET, leading to exfiltration of sensitive files. This issue has been fixed in version 3.6.1.
Deeper analysisAI
CVE-2026-32938 is a high-severity vulnerability (CVSS 9.9) in SiYuan, a personal knowledge management system, affecting versions 3.6.0 and below. It stems from improper path validation in the desktop edition's /api/lute/html2BlockDOM endpoint, which processes pasted HTML containing file:// links and copies referenced local files into the workspace assets directory without checking against a sensitive-path list (CWE-22, CWE-200, CWE-284).
A low-privileged attacker (PR:L), such as an authenticated publish-service visitor, can exploit this over the network (AV:N) with no user interaction (UI:N). By pasting malicious HTML with file:// links to sensitive readable files, the attacker tricks the desktop kernel into copying those files to the assets directory. The attacker then retrieves the files via the GET /assets/*path endpoint, which only requires authentication, achieving sensitive file exfiltration with scope change (S:C), high confidentiality impact (C:H), low integrity impact (I:L), and high availability impact (A:H).
The vulnerability was fixed in SiYuan version 3.6.1. Mitigation details are available in the GitHub security advisory (GHSA-fq2j-j8hc-8vw8), release notes for v3.6.1, and the patching commit (294b8b429dea152cd1df522cddf406054c1619ad). Security practitioners should upgrade to 3.6.1 or later and review access to publish services.
Details
- CWE(s)