CVE-2026-33476 is a path traversal vulnerability (CWE-22) affecting Siyuan Note, a personal knowledge management system, in versions prior to 3.6.2. The vulnerability arises from improper limitation of pathname inputs to a restricted directory in the Siyuan kernel's file-serving endpoint located at /appearance/*filepath. This endpoint serves files without proper sanitization of the filepath parameter, allowing attackers to traverse directories and access arbitrary files on the server filesystem that the Siyuan process can read. Notably, this endpoint explicitly excludes authentication checks, meaning no credentials or user interaction are required to exploit the flaw remotely over the network. The vulnerability compromises confidentiality by exposing potentially sensitive files, but does not impact file integrity or service availability. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The issue was publicly disclosed on March 20, 2026, and fixed in Siyuan Note version 3.6.2. No known exploits have been reported in the wild yet. The vulnerability is related to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored on servers running vulnerable Siyuan Note versions. Attackers can read arbitrary files, potentially including configuration files, credentials, private notes, or other sensitive data accessible to the application process. This breach of confidentiality could lead to further attacks such as credential theft, lateral movement, or data leakage. Since no authentication is required, any remote attacker can exploit this vulnerability, increasing the risk surface significantly. Although integrity and availability are not directly affected, the exposure of sensitive data can have severe operational and reputational consequences for organizations relying on Siyuan Note for knowledge management. The impact is especially critical for organizations handling sensitive or proprietary information. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation and severity warrant urgent remediation.

Organizations should immediately upgrade Siyuan Note installations to version 3.6.2 or later, where the vulnerability is patched. Until upgrade is possible, restrict network access to the Siyuan Note server, especially blocking external access to the /appearance/*filepath endpoint. Implement web application firewall (WAF) rules to detect and block path traversal patterns targeting this endpoint. Conduct thorough audits of server logs to detect any suspicious access attempts to this endpoint. Review and minimize file permissions for the Siyuan Note process to limit accessible files, reducing potential data exposure. Consider deploying network segmentation to isolate Siyuan Note servers from untrusted networks. Educate administrators and users about the risk and ensure timely application of security updates. Finally, monitor threat intelligence sources for any emerging exploit activity related to this vulnerability.