CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-23850

SiYuan Note LFD: Turning Personal Knowledge into Public Property

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 21, 2026·5 min read·26 visits

Executive Summary (TL;DR)

SiYuan < 3.5.4 has a feature that downloads remote images referenced in Markdown to the local server for offline storage. It fails to validate the URI scheme, allowing attackers to supply `file://` paths or internal IPs. This tricks the server into reading `/etc/passwd` or internal metadata and saving it as a static asset, which the attacker can then download.

A critical Local File Disclosure (LFD) and Server-Side Request Forgery (SSRF) vulnerability in SiYuan note-taking software allows authenticated attackers to read sensitive files from the host server by abusing the 'local assets' conversion feature.

The Hook: Privacy-First, Security-Maybe

SiYuan markets itself as a "privacy-first" personal knowledge management system. It's the kind of tool where you store your deepest thoughts, your startup ideas, and maybe your API keys. It runs locally or on a private server, promising that your data belongs to you.

But as any security researcher knows, the more a product screams "privacy," the more ironic its inevitable security failure will be. CVE-2026-23850 is a textbook example of a convenience feature tearing a hole through that privacy promise. It turns the application into a glorified file server for anyone with a login.

This isn't a complex buffer overflow or a race condition. It is a logic flaw born from the desire to make the user experience smoother. The developers wanted to let you save external images locally. They just forgot to check if those "images" were actually system files like /etc/passwd.

The Flaw: The 'Download Everything' Handler

The vulnerability lives in a feature called netAssets2LocalAssets. The logic is simple: you write a Markdown document with a link to an image (e.g., ![cat](http://cat.com/meow.jpg)), and the server fetches that image and saves it to your local workspace so you don't lose it if the internet goes down.

The problem? The function netAssets2LocalAssets0 in kernel/model/assets.go trusted the input implicitly. It parses the Markdown, extracts the link, and hands it off to a resource fetcher.

It failed to ask two critical questions:

  1. What protocol are we using? (It accepted file:// just as happily as http://).
  2. Where does this point? (It didn't validate if the target was localhost, a private IP, or a sensitive system path).

If you passed it file:///etc/shadow, the server reasoned: "Ah, the user wants to save a local copy of this file. I shall read it and place it in the public assets folder for them."

The Code: The Smoking Gun

Let's look at the logic flow. The vulnerable code effectively treated any string inside []() or ![]() as a target for retrieval.

Here is a conceptual simplification of what was happening server-side:

// Pseudo-code of the vulnerable logic
func netAssets2LocalAssets(link string) {
    // No check for 'file://' prefix!
    data, err := readFileOrNetwork(link)
    if err == nil {
        // Saves content to /data/assets/network-asset-xxx
        saveToPublicDir(data)
    }
}

The fix, introduced in version 3.5.4, didn't actually disable the file:// protocol or implement a robust whitelist. Instead, it introduced a utility function IsSensitivePath in kernel/util/path.go.

This function acts as a massive blocklist (a "deny list"). It explicitly checks if the path contains strings like:

  • /etc/passwd, /etc/shadow
  • .ssh, id_rsa
  • .env, config.yaml

> [!ALERT] > Researcher Note: Blacklists are notoriously difficult to maintain. While this stops the script kiddie copying a /etc/passwd PoC, it leaves the door open for creative attackers to find files that aren't on the list, or to use the SSRF vector to hit internal metadata endpoints (like AWS 169.254.169.254), which are rarely file paths.

The Exploit: Stealing Secrets in 5 Steps

Exploiting this requires an authenticated session, but in many self-hosted instances, users share credentials or use weak auth codes. Here is how we turn a note-taking app into a data exfiltration tool.

  1. Login: Authenticate to the API.
  2. Plant the Bait: Create a new Markdown note via /api/filetree/createDocWithMd.
    {
      "markdown": "[loot](file:///etc/passwd)"
    }
  3. Trigger the Trap: Call the asset conversion endpoint /api/format/netAssets2LocalAssets on the document ID you just created.
  4. The Server Obeys: The server reads /etc/passwd, thinks it's downloading an asset, and saves it to /data/assets/ with a name like network-asset-passwd-xyz.txt.
  5. Exfiltrate: List the directory contents via /api/file/readDir to find the generated filename, then download it directly via the web interface.

The Impact: Why You Should Care

The impact here is twofold: Local File Disclosure (LFD) and Server-Side Request Forgery (SSRF).

LFD: Attackers can grab configuration files. If SiYuan is running in a Docker container, you might just get container configs. But if it's running on bare metal (common for personal servers), you could grab SSH keys (~/.ssh/id_rsa), the app's own database credentials, or environment variables containing API keys for third-party integrations.

SSRF: Since the validator doesn't block IP addresses, an attacker could force the server to scan the internal network.

  • [router](http://192.168.1.1/admin) -> Saves the router login page.
  • [cloud](http://169.254.169.254/latest/meta-data/) -> If hosted on AWS/GCP, this could leak the instance IAM role credentials, leading to full cloud account compromise.

The Fix: Imperfect but Essential

The vendor patched this in version 3.5.4. The patch (Commits b2274bab and f8f4b517) implements the IsSensitivePath check.

Critique: The fix is a "band-aid." It patches the symptom (reading sensitive files) by blocking specific filenames, rather than addressing the root cause (unrestricted protocol usage). A more robust fix would have been to:

  1. Whitelist protocols: Only allow http and https.
  2. Disable local interaction: Explicitly ban file://.
  3. Implement an egress filter: Block calls to private IP ranges (RFC 1918) to prevent SSRF.

For now, the blocklist stops the obvious attacks, but savvy researchers will likely be fuzzing that IsSensitivePath function looking for bypasses involving symbolic links, alternative encodings, or unlisted sensitive files.

Official Patches

SiYuanOfficial Release Notes for v3.5.4

Fix Analysis (2)

Technical Appendix

CVSS Score
7.8/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.06%
Top 83% most exploited

Affected Systems

SiYuan Note < 3.5.4 (Windows)SiYuan Note < 3.5.4 (macOS)SiYuan Note < 3.5.4 (Linux / Docker)

Affected Versions Detail

Product
Affected Versions
Fixed Version
SiYuan
SiYuan
< 3.5.43.5.4
AttributeDetail
CWE IDCWE-22
Attack VectorNetwork
CVSS v4.07.8 (High)
CVSS v3.18.8 (High)
ImpactConfidentiality Loss (High)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1559Inter-Process Communication
Execution
T1005Data from Local System
Collection
T1210Exploitation of Remote Services
Lateral Movement
CWE-22
Path Traversal

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Known Exploits & Detection

GitHub IssueOriginal issue report detailing the vulnerability
Generated PoCPython script demonstrating authenticated LFD

Vulnerability Timeline

Patch commits pushed to repository
2026-01-18
CVE-2026-23850 assigned
2026-01-19
GHSA-cv54-7wv7-qxcw published
2026-01-21

References & Sources

  • [1]GHSA-cv54-7wv7-qxcw
  • [2]NVD - CVE-2026-23850

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 20 hours ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
10 views•6 min read
•1 day ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
20 views•8 min read
•1 day ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•2 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
8 views•6 min read
•6 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•6 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read