CVE-2026-32767 is a critical SQL injection vulnerability affecting SiYuan, a personal knowledge management system, in versions prior to 3.6.1. The vulnerability resides in the /api/search/fullTextSearchBlock endpoint, specifically when the method parameter is set to 2. In this scenario, the endpoint directly passes user-supplied input as a raw SQL statement to the underlying SQLite database without performing any authorization or read-only checks. This behavior contrasts with the dedicated SQL query endpoint (/api/query/sql), which properly enforces CheckAdminRole and CheckReadonly middleware to restrict access. Due to this oversight, any authenticated user, including those assigned the Reader role with limited privileges, can execute arbitrary SQL commands such as SELECT, DELETE, UPDATE, or DROP TABLE. This effectively allows attackers to bypass the application's security model, leading to unauthorized data access, data manipulation, or destruction. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-863 (Incorrect Authorization). The flaw was publicly disclosed on March 20, 2026, with a CVSS v3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability without requiring user interaction or elevated privileges beyond authentication. Although no known exploits have been reported in the wild, the severity and ease of exploitation make this a high-risk vulnerability. The issue was resolved in SiYuan version 3.6.1 by enforcing proper authorization and read-only checks on the vulnerable endpoint.

The impact of CVE-2026-32767 is severe for organizations using affected versions of SiYuan. Attackers with any authenticated access, including low-privileged Reader roles, can execute arbitrary SQL commands on the application's SQLite database. This can lead to unauthorized disclosure of sensitive information, data tampering, deletion of critical data, or complete destruction of the database. Such actions can compromise the confidentiality, integrity, and availability of organizational knowledge assets managed within SiYuan. The vulnerability undermines the trust model of the application by allowing privilege escalation through bypassing intended access controls. Organizations relying on SiYuan for knowledge management may face operational disruption, data loss, or exposure of proprietary or personal information. Given the critical CVSS score and the lack of required elevated privileges, exploitation could be straightforward, increasing the risk of widespread impact if attackers gain authenticated access. The absence of known exploits in the wild does not diminish the urgency of remediation due to the vulnerability's high severity and potential for damage.

To mitigate CVE-2026-32767, organizations should immediately upgrade SiYuan to version 3.6.1 or later, where the vulnerability has been fixed by enforcing proper authorization and read-only checks on the /api/search/fullTextSearchBlock endpoint. Until upgrading is possible, organizations should restrict access to the application to trusted users only and consider disabling or restricting the vulnerable endpoint if feasible. Implement network-level access controls such as IP whitelisting or VPN requirements to limit exposure. Conduct thorough audits of user roles and permissions to ensure that only necessary users have authenticated access, minimizing the attack surface. Monitor application logs for unusual SQL queries or unexpected database activity that could indicate exploitation attempts. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the vulnerable endpoint. Regularly review and update security policies to enforce least privilege principles and ensure timely patch management for all software components.