Cyber Resilience

CVE-2026-34453

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0380 88.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34453 is a high-severity Incorrect Authorization (CWE-863) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

SiYuan is a personal knowledge management system whose publish service, prior to version 3.6.2, contains an authorization flaw in the bookmark retrieval endpoint. The /api/bookmark/getBookmark handler invokes FilterBlocksByPublishAccess with a nil context; because the filter interprets nil as an authorized caller, it bypasses the password check that normally protects documents marked as Protected and returns any bookmarked blocks from those documents.

An unauthenticated visitor who can reach the publish service can therefore enumerate and read content from password-protected documents whenever at least one block inside them has been bookmarked. The flaw requires no credentials and yields high-confidentiality impact (CVSS 7.5, CWE-863) while leaving integrity and availability untouched.

The project has released version 3.6.2, which corrects the nil-context handling; administrators are advised to upgrade and to verify that the publish service is not exposed beyond intended audiences. The associated GitHub security advisory and release notes document the fix and the affected code path.

EPSS for the CVE rose from a low baseline to a peak of 0.0698 on 2026-04-03 before receding to 0.0380, indicating a measurable increase in exploitation interest shortly after disclosure.

EU & UK References

Vulnerability details

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil…

more

context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authorization bypass in a public-facing publish service endpoint, directly enabling remote exploitation of the application to access protected data without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34605Same product: B3Log Siyuan
CVE-2026-32767Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-32749Same product: B3Log Siyuan
CVE-2026-32940Same product: B3Log Siyuan
CVE-2026-25992Same product: B3Log Siyuan
CVE-2026-40259Same product: B3Log Siyuan
CVE-2026-32938Same product: B3Log Siyuan
CVE-2026-33670Same product: B3Log Siyuan
CVE-2025-21609Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations, directly addressing the incorrect authorization bypass where nil context skips password checks for protected documents.

prevent

AC-22 requires designation, review, and control of publicly accessible content, preventing exposure of bookmarked blocks from password-protected documents via the publish service.

prevent

SC-14 enforces security restrictions on publicly accessible system interfaces like the /api/bookmark/getBookmark endpoint, mitigating unauthenticated access to protected content.

References