CVE-2026-33669
Published: 26 March 2026
Summary
CVE-2026-33669 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in B3Log Siyuan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access, directly preventing unauthorized retrieval of document IDs and contents via the /api/file/readDir and /api/block/getChildBlocks endpoints.
AC-14 identifies and documents permitted actions without identification or authentication, restricting exposure of sensitive API endpoints like readDir and getChildBlocks to unauthenticated users.
SC-14 controls access to publicly accessible communications traffic, such as unauthenticated API endpoints, to block remote data exfiltration in SiYuan instances.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed /api/file/readDir and /api/block/getChildBlocks endpoints directly enables T1190 (exploit public-facing app for unauth access), T1083 (file/dir discovery via readDir exposing doc IDs), and T1005 (collection of full document contents from local system).
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.
Deeper analysisAI
CVE-2026-33669 is a critical vulnerability in SiYuan, an open-source personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface exposed document IDs, enabling attackers to chain this with the /api/block/getChildBlocks interface to retrieve the full content of all documents without authorization. This issue, classified under CWE-125 (Out-of-bounds Read), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to complete compromise potential across confidentiality, integrity, and availability.
Remote attackers require only network access to SiYuan instances, with no authentication, privileges, or user interaction needed. Exploitation allows unauthorized enumeration and exfiltration of all document contents, potentially exposing sensitive personal knowledge bases, notes, or data stored within the system.
The official GitHub Security Advisory (GHSA-34xj-66v3-6j83) confirms that SiYuan version 3.6.2 fully patches the vulnerability by addressing the improper access controls in the affected API endpoints. Security practitioners should immediately upgrade to version 3.6.2 or later and review exposed SiYuan deployments for potential prior exploitation.
Details
- CWE(s)