CVE-2026-33670
Published: 26 March 2026
Summary
CVE-2026-33670 is a critical-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements input validation on the /api/file/readDir interface to reject path traversal attempts and prevent unauthorized directory enumeration.
Enforces access control policies to restrict logical access to file directories within authorized notebooks, blocking traversal beyond intended scopes.
Requires timely identification, reporting, and patching of flaws like the path traversal vulnerability fixed in SiYuan version 3.6.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in unauthenticated public /api/file/readDir endpoint directly enables initial access via exploitation of public-facing application (T1190) and facilitates file/directory enumeration of notebooks and documents (T1083).
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.
Deeper analysisAI
CVE-2026-33670 is a path traversal vulnerability (CWE-22) affecting SiYuan, a personal knowledge management system, in versions prior to 3.6.2. The issue exists in the /api/file/readDir interface, which can be abused to traverse directories and retrieve the file names of all documents under a notebook. Published on 2026-03-26 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its high potential impact on confidentiality, integrity, and availability.
A remote, unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By sending crafted requests to the /api/file/readDir endpoint, the attacker can enumerate file names across documents in a notebook, potentially exposing sensitive structure and metadata that could facilitate further attacks, aligning with the high-impact CVSS vector.
The official GitHub Security Advisory (GHSA-xmw9-6r43-x9ww) documents the vulnerability, confirming that SiYuan version 3.6.2 addresses and patches the issue in the affected interface. Practitioners should prioritize upgrading to version 3.6.2 or later to mitigate exploitation risks.
Details
- CWE(s)