CVE-2026-32704: Improper Authorization and Information Disclosure in SiYuan Template Rendering

SiYuan is a personal knowledge management system that utilizes a local SQLite database to store user workspaces, notes, metadata, and custom attributes. The application exposes an administrative API to facilitate various backend operations, including the evaluation of templates via the Sprig library. This template engine is designed to allow administrators to dynamically generate content and query the underlying data structures.

CVE-2026-32704 is an improper authorization vulnerability (CWE-285) located in the POST /api/template/renderSprig endpoint. This specific route handles the parsing and execution of Sprig templates submitted via HTTP requests. The vulnerability arises because the endpoint fails to verify whether the requesting user possesses administrative privileges before processing the template.

Consequently, the application processes the template using the privileges of the application process itself. Since the SiYuan template engine explicitly exposes a SQL function to the template context, an authenticated attacker can leverage this endpoint to interact directly with the backend SQLite database.

The root cause of CVE-2026-32704 lies in the omission of the standard authorization middleware or check function on the renderSprig API route. In the SiYuan codebase, administrative endpoints are expected to invoke model.CheckAdminRole to validate the authorization token and role of the incoming request. This function ensures that only highly privileged users can access sensitive backend features.

The renderSprig endpoint was deployed without this crucial model.CheckAdminRole invocation. When an HTTP POST request reaches the route, the application only verifies that the request contains a valid authentication token, satisfying the low-privilege requirement. It then proceeds to pass the user-supplied JSON payload directly to the Sprig template rendering engine.

The Sprig environment configured by SiYuan includes custom functions tailored for workspace management. One of these functions, typically exposed as sql, accepts a raw SQL query string, executes it against the local SQLite database, and returns the result set to the template context. Because the authorization check is absent, any authenticated user can successfully invoke this powerful internal function.

Exploitation of CVE-2026-32704 requires the attacker to possess valid credentials or an authentication token for a non-administrative account on the target SiYuan instance. Network access to the application's API interface is also necessary. The attack vector relies entirely on standard HTTP requests, requiring no specialized tools beyond an HTTP client.

The attacker crafts a POST request to /api/template/renderSprig with a JSON body containing the template key. The value of this key contains the malicious Sprig payload. By utilizing the pipeline operator (|) in the template syntax, the attacker passes an arbitrary SQL query string into the sql function exposed by the engine.

POST /api/template/renderSprig HTTP/1.1
Host: [siyuan-host]
Authorization: Token [user-token]
Content-Type: application/json
 
{
  "template": "{{ \"SELECT * FROM blocks LIMIT 5\" | sql }}"
}

Upon processing the request, the backend evaluates the template, executes the embedded SELECT statement, and serializes the result. The application returns this data within the HTTP response body. An attacker can systematically query the database schema and exfiltrate all tables by altering the SQL payload in subsequent requests.

The vulnerability carries a CVSS v3.1 score of 6.5 (Medium severity), calculated with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The primary impact is a total loss of confidentiality for the data stored within the SiYuan workspace. The attack vector is network-based and involves low complexity, making it highly reproducible.

An attacker successfully exploiting this vulnerability gains read access to the entire SQLite database. This exposes all user notes, sensitive metadata, custom attributes, and application configuration settings. If the workspace contains proprietary information, credentials, or personal data, the exposure represents a severe security breach.

The CVSS vector indicates no impact on integrity or availability. The exposed SQL function within the template engine is typically restricted to data retrieval operations, preventing the execution of INSERT, UPDATE, or DELETE statements. However, the exact limitations depend on the underlying SQLite connection configuration and the specific implementation of the sql helper function.

The vendor addressed CVE-2026-32704 in SiYuan version 3.6.1. The patch introduces the missing model.CheckAdminRole validation within the handler for the /api/template/renderSprig endpoint. This ensures that the application verifies administrative privileges before passing the request body to the template engine, effectively closing the unauthorized access vector.

Organizations operating SiYuan instances must upgrade to version 3.6.1 or later immediately. As an interim mitigation, administrators should ensure that SiYuan instances are strictly isolated from untrusted networks. Deploying a reverse proxy equipped with an external identity provider (e.g., OIDC) can restrict baseline access to the application, reducing the available attack surface.

Security teams can detect exploitation attempts by monitoring application and reverse proxy logs. A high volume of requests to the /api/template/renderSprig endpoint from standard user accounts indicates suspicious activity. Additionally, Web Application Firewalls (WAF) can be configured to inspect the template parameter in POST requests for common SQL keywords, providing an active defense layer against exfiltration payloads.