CVE-2026-33476: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan-note siyuan
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
AI Analysis
Technical Summary
CVE-2026-33476 is a path traversal vulnerability (CWE-22) found in Siyuan Note, a personal knowledge management system. The issue exists in versions prior to 3.6.2 where the Siyuan kernel exposes an unauthenticated file-serving endpoint under the path /appearance/*filepath. This endpoint explicitly excludes authentication checks, allowing any remote attacker to access it without credentials. Due to improper sanitization of the filepath parameter, attackers can craft specially formed requests that traverse directories outside the intended restricted directory. This enables reading of arbitrary files accessible by the server process, potentially exposing sensitive configuration files, user data, or system files. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 7.5, reflecting high confidentiality impact but no impact on integrity or availability. The flaw was addressed in Siyuan Note version 3.6.2 by properly sanitizing the filepath input and enforcing access controls on the endpoint.
Potential Impact
This vulnerability allows unauthorized remote attackers to read arbitrary files on the server running vulnerable Siyuan Note instances. The confidentiality of sensitive information such as user notes, configuration files, credentials, or other private data stored on the server can be compromised. This could lead to further attacks such as credential theft, lateral movement, or exposure of intellectual property. Since the vulnerability requires no authentication and no user interaction, it significantly lowers the barrier for exploitation. Organizations relying on Siyuan Note for personal or enterprise knowledge management risk data breaches and loss of privacy. Although integrity and availability are not directly impacted, the exposure of sensitive files can have severe operational and reputational consequences.
Mitigation Recommendations
1. Upgrade Siyuan Note to version 3.6.2 or later immediately to apply the official patch that fixes the path traversal vulnerability. 2. If upgrading is not immediately possible, restrict network access to the Siyuan Note server, limiting exposure to trusted internal networks only. 3. Implement web application firewalls (WAFs) with rules to detect and block path traversal attack patterns targeting the /appearance/ endpoint. 4. Conduct regular audits of server file permissions to ensure the Siyuan process runs with the least privileges necessary, minimizing accessible files. 5. Monitor server logs for suspicious requests containing directory traversal sequences such as ../ or encoded variants. 6. Educate administrators to disable or restrict unauthenticated endpoints where feasible. 7. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time.
Affected Countries
United States, China, Germany, Japan, South Korea, United Kingdom, France, Canada, Australia, India
CVE-2026-33476: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan-note siyuan
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint, allowing exploitation without valid credentials. Version 3.6.2 fixes this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33476 is a path traversal vulnerability (CWE-22) found in Siyuan Note, a personal knowledge management system. The issue exists in versions prior to 3.6.2 where the Siyuan kernel exposes an unauthenticated file-serving endpoint under the path /appearance/*filepath. This endpoint explicitly excludes authentication checks, allowing any remote attacker to access it without credentials. Due to improper sanitization of the filepath parameter, attackers can craft specially formed requests that traverse directories outside the intended restricted directory. This enables reading of arbitrary files accessible by the server process, potentially exposing sensitive configuration files, user data, or system files. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 7.5, reflecting high confidentiality impact but no impact on integrity or availability. The flaw was addressed in Siyuan Note version 3.6.2 by properly sanitizing the filepath input and enforcing access controls on the endpoint.
Potential Impact
This vulnerability allows unauthorized remote attackers to read arbitrary files on the server running vulnerable Siyuan Note instances. The confidentiality of sensitive information such as user notes, configuration files, credentials, or other private data stored on the server can be compromised. This could lead to further attacks such as credential theft, lateral movement, or exposure of intellectual property. Since the vulnerability requires no authentication and no user interaction, it significantly lowers the barrier for exploitation. Organizations relying on Siyuan Note for personal or enterprise knowledge management risk data breaches and loss of privacy. Although integrity and availability are not directly impacted, the exposure of sensitive files can have severe operational and reputational consequences.
Mitigation Recommendations
1. Upgrade Siyuan Note to version 3.6.2 or later immediately to apply the official patch that fixes the path traversal vulnerability. 2. If upgrading is not immediately possible, restrict network access to the Siyuan Note server, limiting exposure to trusted internal networks only. 3. Implement web application firewalls (WAFs) with rules to detect and block path traversal attack patterns targeting the /appearance/ endpoint. 4. Conduct regular audits of server file permissions to ensure the Siyuan process runs with the least privileges necessary, minimizing accessible files. 5. Monitor server logs for suspicious requests containing directory traversal sequences such as ../ or encoded variants. 6. Educate administrators to disable or restrict unauthenticated endpoints where feasible. 7. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:16:48.970Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69bdda59b462d409683a8cd7
Added to database: 3/20/2026, 11:38:01 PM
Last enriched: 3/20/2026, 11:44:32 PM
Last updated: 3/21/2026, 1:07:12 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.