CVE-2026-30869 is a path traversal vulnerability categorized under CWE-22 affecting the SiYuan knowledge management system before version 3.5.10. The flaw resides in the /export endpoint, where insufficient validation of pathname inputs allows attackers to use double-encoded traversal sequences (e.g., %252e%252e/) to bypass directory restrictions and access arbitrary files on the server filesystem. This improper limitation of pathname enables reading of sensitive configuration files such as conf/conf.json, which contains critical secrets including API tokens, cookie signing keys, and workspace access authentication codes. These secrets can be leveraged to gain administrative privileges over the SiYuan kernel API, potentially allowing attackers to manipulate or extract data. In certain deployment environments, this initial access could be chained with other vulnerabilities or misconfigurations to achieve remote code execution (RCE), escalating the threat impact. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The issue was addressed and fixed in SiYuan version 3.5.10 by properly sanitizing and validating input paths to prevent traversal attacks. Although no active exploits have been reported, the critical nature of the vulnerability and the sensitivity of exposed data make it a significant threat to affected users.

The impact of CVE-2026-30869 is substantial for organizations using vulnerable versions of SiYuan. Unauthorized reading of arbitrary files can lead to exposure of sensitive secrets such as API tokens and authentication keys, compromising confidentiality and enabling unauthorized administrative access. This can result in data breaches, unauthorized data manipulation, and loss of trust in the system. In environments where SiYuan is integrated with other services or contains sensitive organizational knowledge, the risk escalates. Furthermore, the potential to chain this vulnerability into remote code execution could allow attackers to execute arbitrary commands on the server, leading to full system compromise, data destruction, or lateral movement within the network. The vulnerability’s ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in exposed or internet-facing deployments. Organizations relying on SiYuan for critical knowledge management must consider this a high-priority risk.

To mitigate CVE-2026-30869, organizations should immediately upgrade all SiYuan installations to version 3.5.10 or later, where the vulnerability has been patched. Additionally, administrators should audit access controls and restrict exposure of the /export endpoint to trusted networks or VPNs to reduce attack surface. Implementing web application firewalls (WAFs) with rules to detect and block double-encoded traversal sequences can provide an additional layer of defense. Regularly review and rotate sensitive credentials stored in configuration files to limit the impact of any potential leaks. Employ monitoring and alerting for unusual access patterns or attempts to access sensitive files. In deployments where SiYuan is integrated with other systems, conduct thorough security assessments to identify and remediate any chained vulnerabilities that could lead to RCE. Finally, maintain an incident response plan to quickly address any exploitation attempts.