CVE-2026-29073 identifies a missing authorization vulnerability (CWE-862) in the SiYuan personal knowledge management system prior to version 3.6.0. The vulnerability exists in the /api/query/sql endpoint, which permits any authenticated user to execute arbitrary SQL queries directly against the backend database. The root cause is that the endpoint only enforces basic authentication but does not verify that the user has administrative privileges before allowing SQL execution. This lack of proper authorization enables users with minimal privileges, such as readers, to perform potentially destructive or data-exfiltrating SQL commands. The vulnerability also relates to CWE-89 (SQL Injection) because it allows arbitrary SQL execution, though here the injection vector is authorized users abusing insufficient access controls rather than external injection. The vulnerability is remotely exploitable without user interaction and requires only low privileges (authenticated user). The CVSS 4.0 score is 5.7 (medium severity), reflecting the moderate impact and ease of exploitation. The issue was publicly disclosed and patched in version 3.6.0, but no known exploits have been reported in the wild. The vulnerability poses risks including unauthorized data access, data modification, and potential denial of service through malicious SQL commands.

The vulnerability allows any authenticated user, including those with minimal read-only permissions, to execute arbitrary SQL queries on the SiYuan database. This can lead to unauthorized disclosure of sensitive information, data tampering, or deletion, compromising confidentiality, integrity, and availability of the system. Attackers could extract confidential notes, modify or delete data, or disrupt service by executing destructive queries. Since the vulnerability requires only basic authentication and no user interaction, it can be exploited remotely by any logged-in user, increasing the attack surface. Organizations relying on SiYuan for knowledge management risk data breaches and operational disruption. The impact is particularly severe in environments where sensitive or proprietary information is stored. Additionally, the ability to run arbitrary SQL commands could facilitate further lateral movement or privilege escalation within the environment.

To mitigate this vulnerability, organizations should immediately upgrade SiYuan to version 3.6.0 or later, where the authorization checks have been properly implemented. Until upgrade is possible, restrict access to the /api/query/sql endpoint to trusted administrative users only, using network-level controls such as firewall rules or API gateways. Implement strong authentication and role-based access controls to ensure only authorized administrators can execute SQL queries. Monitor logs for unusual SQL query activity or access patterns indicative of exploitation attempts. Conduct regular audits of user privileges to minimize the number of users with elevated access. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL query requests. Educate users about the risks of sharing credentials and enforce multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability.