CVE-2026-34453
Published: 31 March 2026
Summary
CVE-2026-34453 is a high-severity Incorrect Authorization (CWE-863) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
SiYuan is a personal knowledge management system whose publish service, prior to version 3.6.2, contains an authorization flaw in the bookmark retrieval endpoint. The /api/bookmark/getBookmark handler invokes FilterBlocksByPublishAccess with a nil context; because the filter interprets nil as an authorized caller, it bypasses the password check that normally protects documents marked as Protected and returns any bookmarked blocks from those documents.
An unauthenticated visitor who can reach the publish service can therefore enumerate and read content from password-protected documents whenever at least one block inside them has been bookmarked. The flaw requires no credentials and yields high-confidentiality impact (CVSS 7.5, CWE-863) while leaving integrity and availability untouched.
The project has released version 3.6.2, which corrects the nil-context handling; administrators are advised to upgrade and to verify that the publish service is not exposed beyond intended audiences. The associated GitHub security advisory and release notes document the fix and the affected code path.
EPSS for the CVE rose from a low baseline to a peak of 0.0698 on 2026-04-03 before receding to 0.0380, indicating a measurable increase in exploitation interest shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17683
Vulnerability details
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil…
more
context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing publish service endpoint, directly enabling remote exploitation of the application to access protected data without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations, directly addressing the incorrect authorization bypass where nil context skips password checks for protected documents.
AC-22 requires designation, review, and control of publicly accessible content, preventing exposure of bookmarked blocks from password-protected documents via the publish service.
SC-14 enforces security restrictions on publicly accessible system interfaces like the /api/bookmark/getBookmark endpoint, mitigating unauthenticated access to protected content.