CVE-2026-30926
📋 TL;DR
A privilege escalation vulnerability in SiYuan Note's publish service allows authenticated users with read-only publish accounts (RoleReader) to modify notebook content. This occurs because the /api/block/appendHeadingChildren API endpoint only checks for basic authentication (model.CheckAuth) without verifying admin or read-only permissions. All SiYuan Note instances running versions before 3.5.10 with publish service enabled are affected.
💻 Affected Systems
- SiYuan Note
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious publish users could systematically corrupt or deface all published notebooks, destroying knowledge base integrity and potentially injecting malicious content.
Likely Case
Accidental or intentional unauthorized modifications to published notebooks, leading to data integrity issues and loss of trust in the knowledge management system.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated unauthorized modifications that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated publish account access but is straightforward via API calls. No special tools or advanced knowledge required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.10
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523
Restart Required: Yes
Instructions:
1. Backup your SiYuan data. 2. Download SiYuan Note version 3.5.10 or later from official sources. 3. Install the update following standard procedures for your platform. 4. Restart the SiYuan service/application.
🔧 Temporary Workarounds
Disable Publish Service
allTemporarily disable the publish service if not required, eliminating the attack vector.
Modify SiYuan configuration to disable publish service (specific commands depend on deployment method)
Restrict Publish Account Access
allRemove or suspend all publish accounts until patching is complete.
Remove publish accounts from SiYuan configuration or access control lists
🧯 If You Can't Patch
- Implement strict network access controls to limit publish service API access to trusted IPs only.
- Enable detailed audit logging for all publish service API calls and monitor for unauthorized modification attempts.
🔍 How to Verify
Check if Vulnerable:
Check SiYuan version via Help → About in the application or by examining version files in the installation directory. If version is below 3.5.10 and publish service is enabled, the system is vulnerable.Check Version:
Check application version in UI or examine package/installation metadataVerify Fix Applied:
After updating to 3.5.10 or later, verify that publish accounts with RoleReader cannot modify content via the /api/block/appendHeadingChildren endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /api/block/appendHeadingChildren from publish accounts
- Unexpected content modifications in published notebooks
Network Indicators:
- API calls to /api/block/appendHeadingChildren from publish user accounts
SIEM Query:
source="siyuan" AND (uri_path="/api/block/appendHeadingChildren" AND user_role="RoleReader")