CVE-2026-33670 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as a path traversal flaw. This vulnerability affects the SiYuan personal knowledge management system, specifically versions prior to 3.6.2. The flaw exists in the /api/file/readDir interface, which is designed to traverse and retrieve file names within a user's notebook directory. Due to insufficient validation of user-supplied input, an attacker can manipulate the pathname parameter to traverse outside the intended directory boundaries, accessing arbitrary files on the host system. This can lead to unauthorized disclosure of sensitive files, potential modification of critical data, or disruption of application functionality. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly accessible to attackers. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability was publicly disclosed and patched in SiYuan version 3.6.2. The patch addresses the issue by properly restricting pathname inputs to prevent directory traversal beyond the notebook scope.

The impact of CVE-2026-33670 on organizations worldwide is substantial. Exploitation allows attackers to access sensitive files outside the intended directories, potentially exposing confidential user data, intellectual property, or system configuration files. This can lead to data breaches, loss of privacy, and compliance violations. Furthermore, attackers might modify or delete critical files, compromising data integrity and application stability. The vulnerability also poses a risk to system availability if critical files are tampered with or deleted, potentially causing denial of service. Since the flaw requires no authentication and no user interaction, it can be exploited by remote attackers with minimal effort, increasing the likelihood of attacks. Organizations relying on SiYuan for knowledge management, especially those handling sensitive or proprietary information, face risks of espionage, data leakage, and operational disruption. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent future exploitation.

To mitigate CVE-2026-33670, organizations should prioritize upgrading SiYuan to version 3.6.2 or later, where the vulnerability has been patched. If immediate upgrading is not feasible, restrict network access to the /api/file/readDir endpoint by implementing firewall rules or API gateway controls to limit exposure to trusted users or internal networks only. Employ input validation and sanitization at the application or proxy level to detect and block path traversal attempts, such as sequences containing '../' or encoded variants. Conduct thorough security testing and code reviews of any custom integrations or plugins interacting with SiYuan's file APIs to ensure no similar vulnerabilities exist. Monitor logs for unusual access patterns or attempts to access unauthorized file paths. Additionally, implement least privilege principles for the SiYuan application process to minimize the impact of potential exploitation. Regularly back up critical data and maintain incident response plans to quickly recover from any compromise. Educate users and administrators about the risks and encourage timely patch management practices.