CVE-2026-32938 is a critical path traversal vulnerability (CWE-22) found in SiYuan, a personal knowledge management system. In versions 3.6.0 and earlier, the desktop component exposes an endpoint, /api/lute/html2BlockDOM, which processes pasted HTML content containing file:// links. This endpoint copies local files referenced by these links into the workspace assets directory without validating whether the file paths are restricted or sensitive. This lack of path validation allows an attacker with publish-service authentication to specify arbitrary file paths, including sensitive system or user files, leading to unauthorized file copying. The copied files can then be accessed via the GET /assets/*path endpoint, which requires authentication but no elevated privileges, enabling the attacker to read and exfiltrate sensitive files. The vulnerability impacts confidentiality by exposing sensitive data, integrity by allowing unauthorized file copying, and availability by potentially disrupting normal asset management. The vulnerability was assigned a CVSS v3.1 score of 9.9 (critical), reflecting its ease of exploitation over the network (AV:N), low attack complexity (AC:L), requiring only low privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) that affects other components. The issue was fixed in version 3.6.1 by implementing proper path validation and restricting file copying to authorized directories only. No known exploits in the wild have been reported yet, but the critical nature and ease of exploitation make this a high-risk vulnerability for affected users.

The vulnerability allows attackers with low-level authenticated access to exfiltrate arbitrary sensitive files from the local filesystem of the SiYuan desktop application. This can lead to significant confidentiality breaches, including exposure of user credentials, private documents, configuration files, or other sensitive data stored locally. The integrity of the workspace assets directory can be compromised by unauthorized file copying, potentially leading to further exploitation or data corruption. Availability may also be affected if critical files are overwritten or manipulated. Organizations using SiYuan in environments where sensitive data is stored or processed are at risk of data leakage and potential compliance violations. Since the vulnerability requires only low privilege authentication and no user interaction, it lowers the barrier for attackers to exploit, increasing the threat surface. The scope change means the vulnerability affects components beyond the initial vulnerable endpoint, amplifying the impact. Overall, this vulnerability poses a critical risk to confidentiality and operational security for affected organizations worldwide.

1. Immediate upgrade to SiYuan version 3.6.1 or later, where the vulnerability is patched with proper path validation. 2. Restrict access to the publish-service and authenticated endpoints to trusted users only, employing strong authentication and authorization controls. 3. Implement network segmentation and firewall rules to limit exposure of the SiYuan desktop application to untrusted networks. 4. Monitor and audit access logs for unusual GET /assets/*path requests that may indicate exploitation attempts. 5. Conduct a thorough review of sensitive files stored locally on systems running vulnerable versions and assess potential data exposure. 6. Employ endpoint detection and response (EDR) solutions to detect anomalous file copying or access patterns related to the vulnerability. 7. Educate users about the risks of pasting untrusted HTML content containing file:// links into SiYuan to reduce attack vectors. 8. If upgrading immediately is not feasible, consider disabling or restricting the vulnerable API endpoints temporarily as a stopgap measure.