CVE-2026-32704 is a security vulnerability classified under CWE-285 (Improper Authorization) and CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting the SiYuan personal knowledge management system prior to version 3.6.1. The vulnerability exists in the POST /api/template/renderSprig API endpoint, which lacks proper verification of the user's administrative role via the model.CheckAdminRole function. As a result, any authenticated user, regardless of privilege level, can craft requests to execute arbitrary SQL queries directly against the SiYuan workspace database. This flaw enables unauthorized extraction of all stored note content, metadata, and custom attributes, severely compromising confidentiality. The vulnerability does not impact data integrity or availability but exposes sensitive user data to unauthorized disclosure. Exploitation requires only authentication, no additional user interaction, and can be performed remotely over the network. The CVSS v3.1 base score is 6.5, reflecting medium severity due to high confidentiality impact but limited integrity and availability impact. The issue was addressed and fixed in SiYuan version 3.6.1 by implementing proper admin role checks on the vulnerable endpoint. No public exploits have been reported to date, but the risk remains for unpatched systems. This vulnerability highlights the critical need for strict authorization controls on API endpoints that interact with sensitive data stores.

The primary impact of CVE-2026-32704 is the unauthorized disclosure of sensitive information stored within the SiYuan knowledge management system. Attackers with any authenticated user credentials can leverage this flaw to execute arbitrary SQL queries, enabling them to extract all notes, metadata, and custom attributes. This can lead to significant data breaches, loss of intellectual property, exposure of confidential information, and potential privacy violations. Organizations relying on SiYuan for personal or enterprise knowledge management face risks of insider threats or compromised user accounts being exploited to access sensitive data. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have serious reputational and compliance consequences. The ease of exploitation and network accessibility increase the likelihood of attacks, especially in environments where user authentication is weak or where many users have access to the system. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

To mitigate CVE-2026-32704, organizations should immediately upgrade all SiYuan deployments to version 3.6.1 or later, where the vulnerability is patched by enforcing proper admin role checks on the /api/template/renderSprig endpoint. Additionally, restrict user access to the SiYuan system to trusted individuals and implement strong authentication mechanisms such as multi-factor authentication to reduce the risk of compromised credentials. Conduct a thorough audit of user roles and permissions to ensure least privilege principles are applied, limiting authenticated users' capabilities to only what is necessary. Monitor logs for unusual API usage patterns indicative of unauthorized SQL query attempts. If upgrading is temporarily not possible, consider network-level controls such as IP whitelisting or VPN access restrictions to limit exposure. Finally, educate users about the importance of credential security and promptly revoke access for inactive or suspicious accounts. Regularly review and update security policies related to knowledge management systems to prevent similar authorization flaws.