CVE-2026-34453
Published: 31 March 2026
Summary
CVE-2026-34453 is a high-severity Incorrect Authorization (CWE-863) vulnerability in B3Log Siyuan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly addressing the incorrect authorization bypass where nil context skips password checks for protected documents.
AC-22 requires designation, review, and control of publicly accessible content, preventing exposure of bookmarked blocks from password-protected documents via the publish service.
SC-14 enforces security restrictions on publicly accessible system interfaces like the /api/bookmark/getBookmark endpoint, mitigating unauthenticated access to protected content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing publish service endpoint, directly enabling remote exploitation of the application to access protected data without authentication.
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil…
more
context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.
Deeper analysisAI
CVE-2026-34453 is a vulnerability in SiYuan, a personal knowledge management system, affecting versions prior to 3.6.2. The issue resides in the publish service, specifically the /api/bookmark/getBookmark endpoint in publish/read-only mode. This endpoint filters bookmark results using FilterBlocksByPublishAccess(nil, ...), where a nil context is treated as authorized, bypassing the publish password check for documents configured as Protected. As a result, bookmarked blocks from password-protected documents are exposed to unauthenticated visitors.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special setup, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Anyone able to access the publish service can retrieve sensitive content from protected documents without providing the required password, provided at least one block in the document is bookmarked. This leads to high confidentiality impact (CWE-863: Incorrect Authorization) but no integrity or availability disruption.
The vulnerability has been addressed in SiYuan version 3.6.2, as detailed in the project's release notes and security advisory (GHSA-c77m-r996-jr3q). Additional details are available in GitHub issue #17246, which reported the flaw. Security practitioners should upgrade to version 3.6.2 or later to mitigate exposure of protected content via the publish service.
Details
- CWE(s)