CVE-2026-23850 – SiYuan personal knowledge management system ver... (How to Fix)

Q: What is the severity of CVE-2026-23850?

CVE-2026-23850 has a CVSS score of 7.5 (HIGH). SiYuan personal knowledge management system versions before 3.5.4 contain a path traversal vulnerability in the markdown feature's HTML rendering. This allows attackers to read arbitrary files on the server. All users running vulnerable versions are affected.

📋 TL;DR

SiYuan personal knowledge management system versions before 3.5.4 contain a path traversal vulnerability in the markdown feature's HTML rendering. This allows attackers to read arbitrary files on the server. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

SiYuan Personal Knowledge Management System

Versions: All versions prior to 3.5.4

Operating Systems: All platforms running SiYuan

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with markdown functionality enabled (default configuration).

📦 What is this software?

Siyuan by B3log

View all CVEs affecting Siyuan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through sensitive file disclosure (configuration files, credentials, database contents), potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized reading of sensitive files containing credentials, configuration data, or user information stored on the server.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions restricting access to sensitive directories.

🌐 Internet-Facing: HIGH - Web applications with this vulnerability are directly accessible to attackers without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears to be exploitable without authentication based on the CWE-22 (Path Traversal) classification and unrestricted server-side HTML rendering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4

Vendor Advisory: https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd

Restart Required: Yes

Instructions:

1. Backup your SiYuan data. 2. Download version 3.5.4 or later from the official repository. 3. Stop the SiYuan service. 4. Replace the installation with the new version. 5. Restart the SiYuan service.

🔧 Temporary Workarounds

Disable Markdown Feature

all

Temporarily disable the markdown rendering functionality to prevent exploitation.

Modify configuration to disable markdown processing (specific commands depend on deployment)

File System Restrictions

linux

Implement strict file system permissions to limit SiYuan's access to sensitive directories.

chmod 750 /path/to/siyuan/data
chown siyuan:siyuan /path/to/siyuan/data

🧯 If You Can't Patch

Implement strict network access controls to limit SiYuan exposure to trusted networks only.
Deploy a web application firewall (WAF) with path traversal protection rules enabled.

🔍 How to Verify

Check if Vulnerable:

Check if SiYuan version is below 3.5.4 in the application settings or about page.

Check Version:

Check application UI or configuration files for version information.

Verify Fix Applied:

Confirm version is 3.5.4 or higher and test that path traversal attempts in markdown input are properly blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in application logs
Multiple failed path traversal attempts
Access to sensitive file paths

Network Indicators:

HTTP requests containing '../' sequences in markdown-related endpoints
Unusual file download patterns

SIEM Query:

source="siyuan" AND (url="*../*" OR message="*path traversal*" OR message="*file read*")

📊 Metadata

CVE ID: CVE-2026-23850

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: January 19, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 Product
https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 Product
https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd Patch
https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad Patch
https://github.com/siyuan-note/siyuan/issues/16860 Issue Tracking,Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23850, you might also want to check these: