CVE-2026-33203
Published: 20 March 2026
Summary
CVE-2026-33203 is a high-severity Uncaught Exception (CWE-248) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires secure error handling for unchecked type assertions on attacker-controlled JSON to prevent runtime panics that crash the SiYuan kernel process.
Mandates validation of incoming WebSocket JSON messages to block malformed inputs that trigger parsing failures and denial of service.
Limits system services like the WebSocket server accessible without authentication, preventing unauthenticated connections exploited via the 'auth keepalive' parameter.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to public-facing WebSocket server via crafted JSON triggers uncaught exception/panic (CWE-248/306), directly enabling T1190 for initial access and T1499.004 for application-layer DoS.
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled…
more
JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Deeper analysisAI
CVE-2026-33203 is a vulnerability in SiYuan, a personal knowledge management system, affecting versions prior to 3.6.2. The issue resides in the SiYuan kernel WebSocket server, which accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. Once connected, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON data, which can trigger a runtime panic.
A remote attacker can exploit this vulnerability over the network with no privileges required, low attack complexity, and no user interaction. By sending malformed JSON messages after establishing an unauthenticated WebSocket connection, the attacker can cause a runtime panic that crashes the kernel process, resulting in a denial-of-service condition. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its high availability impact.
The GitHub Security Advisory (GHSA-3g9h-9hp4-654v) confirms that version 3.6.2 of SiYuan addresses the vulnerability by fixing the unauthenticated WebSocket access and JSON parsing issues. Security practitioners should update to SiYuan 3.6.2 or later and review WebSocket configurations for exposed instances. The vulnerability is associated with CWE-248 (Uncaught Exception) and CWE-306 (Missing Authentication for Critical Function).
Details
- CWE(s)