CVE-2026-23851 is a path traversal vulnerability classified under CWE-22, found in the SiYuan Note personal knowledge management system prior to version 3.5.4. The flaw exists in the /api/file/globalCopyFiles endpoint, specifically in the api/file.go source code. This function accepts a JSON request body containing a list of source file paths (srcs) that an authenticated user wants to copy into the application's workspace. While the code checks if each source file exists using filelock.IsExist(src), it fails to validate whether these source paths are confined within the authorized workspace directory. This lack of proper path validation allows an authenticated user to specify arbitrary paths outside the workspace, enabling them to copy any file from the server's filesystem into the workspace. This can lead to unauthorized access to sensitive files, potential data leakage, or manipulation of files within the workspace. The vulnerability does not require user interaction but does require the attacker to have authenticated access to the SiYuan application. The vulnerability has a CVSS v4.0 score of 8.3, indicating high severity, with network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and high impact on confidentiality. The vulnerability was publicly disclosed on January 19, 2026, and patched in version 3.5.4 of SiYuan. No known exploits have been reported in the wild to date.

For European organizations using SiYuan Note versions prior to 3.5.4, this vulnerability poses a significant risk of unauthorized file access and data leakage. Attackers with valid credentials could exploit this flaw to copy sensitive files from the server's filesystem into the application's workspace, potentially exposing confidential information or intellectual property. This could lead to breaches of data protection regulations such as GDPR if personal or sensitive data is accessed or exfiltrated. Additionally, the integrity of the knowledge management system could be compromised by injecting or manipulating files within the workspace, disrupting business operations or causing misinformation. Since the vulnerability requires authentication, insider threats or compromised credentials increase the risk. The high CVSS score reflects the potential for serious confidentiality and integrity impacts, although availability is not directly affected. Organizations relying on SiYuan for critical knowledge management should consider this vulnerability a priority for remediation to prevent potential exploitation and compliance violations.

European organizations should immediately upgrade SiYuan Note installations to version 3.5.4 or later, where this vulnerability is patched. Until the upgrade is applied, restrict access to the /api/file/globalCopyFiles endpoint by implementing strict access controls and monitoring authenticated user activities for unusual file copy requests. Employ network segmentation to limit exposure of SiYuan servers to trusted users only. Conduct regular audits of user accounts and credentials to minimize risks from compromised or malicious insiders. Implement file integrity monitoring within the workspace directory to detect unauthorized file additions or changes. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns in API requests. Finally, educate users on the importance of credential security and monitor logs for signs of exploitation attempts. These targeted measures will reduce the attack surface and help detect or prevent exploitation beyond generic patching advice.