CVE-2026-33194 is a path traversal vulnerability classified under CWE-22 affecting the SiYuan Note personal knowledge management system prior to version 3.6.2. The root cause lies in the IsSensitivePath() function within kernel/util/path.go, which employs a denylist approach to restrict access to sensitive filesystem paths. Although the denylist was recently expanded, it remains incomplete, failing to block access to several important Linux directories such as /opt (commonly used for application data), /usr (local binaries and configs), /home (user directories), /mnt, and /media (mounted volumes). The vulnerability specifically impacts the globalCopyFiles and importStdMd endpoints, which rely on IsSensitivePath() to prevent reading files outside the user's workspace. Because the denylist is incomplete, an attacker with high privileges and authentication can exploit this flaw to perform unauthorized file reads beyond the intended scope, potentially exposing sensitive system or user data. The vulnerability does not allow modification or deletion of files, nor does it affect system availability. The CVSS 3.1 score of 6.8 reflects a medium severity with network attack vector, low attack complexity, required privileges at a high level, no user interaction, and a scope change due to potential cross-component impact. The issue was fixed in SiYuan Note version 3.6.2 by enhancing the path restriction logic to cover previously unblocked directories. No known exploits are currently reported in the wild.

The primary impact of CVE-2026-33194 is unauthorized disclosure of sensitive information due to improper path traversal protections. Attackers with authenticated high privileges can read files outside the intended workspace, potentially accessing configuration files, user data, application secrets, or mounted volumes that may contain sensitive information. This can lead to privacy violations, leakage of credentials or keys, and exposure of intellectual property. Although the vulnerability does not allow modification or deletion of files, the confidentiality breach alone can have serious consequences for organizations relying on SiYuan Note for knowledge management. The scope of affected systems is limited to those running vulnerable versions of SiYuan Note on Linux environments. Organizations with sensitive data stored or processed within SiYuan Note are at risk, especially if the application is used in multi-user or shared environments. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks. Overall, the vulnerability poses a moderate risk to confidentiality with no direct impact on integrity or availability.

To mitigate CVE-2026-33194, organizations should upgrade SiYuan Note to version 3.6.2 or later, where the path traversal issue has been addressed with a more comprehensive denylist in the IsSensitivePath() function. Until upgrade is possible, restrict access to the globalCopyFiles and importStdMd endpoints to only fully trusted users and monitor usage for suspicious activity. Implement strict access controls and auditing on the underlying Linux filesystem to detect unauthorized file access attempts. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block path traversal attempts. Review and harden user privilege assignments to minimize the number of users with high privileges required to exploit this vulnerability. Additionally, conduct regular security assessments and code reviews of custom plugins or extensions that interact with file paths to ensure they do not introduce similar weaknesses. Finally, educate users and administrators about the risks of path traversal and the importance of applying security patches promptly.