SiYuan Note is a personal knowledge management system that allows users to create and publish content, including password-protected documents. Prior to version 3.6.2, a critical authorization flaw (CVE-2026-34453) exists in the publish service's handling of bookmarked blocks within these protected documents. Specifically, when accessing the endpoint /api/bookmark/getBookmark in publish/read-only mode, the system filters bookmarks by invoking the function FilterBlocksByPublishAccess with a nil context parameter. This nil context is erroneously interpreted as an authorized context, causing the function to skip the password verification step. Consequently, any unauthenticated visitor who can reach the publish service can retrieve bookmarked blocks from documents that are meant to be protected by a password, provided that at least one block in the document is bookmarked. This bypasses the intended access control and exposes potentially sensitive information without requiring any credentials or user interaction. The vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS v3.1 score of 7.5, reflecting its high severity. The flaw impacts confidentiality but does not affect integrity or availability. The issue was publicly disclosed on March 31, 2026, and has been addressed in SiYuan Note version 3.6.2. No public exploits have been observed in the wild to date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive or confidential information stored within password-protected documents in SiYuan Note. Organizations relying on SiYuan Note for personal or collaborative knowledge management may inadvertently expose proprietary, private, or regulated data to any unauthenticated user who can access the publish service endpoint. This can lead to data breaches, loss of intellectual property, and compliance violations, especially if sensitive business or personal information is involved. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale if the publish service is publicly accessible. Although no integrity or availability impact is reported, the breach of confidentiality alone can have severe reputational and financial consequences. The risk is heightened in environments where SiYuan Note is used for critical documentation or where password protection is relied upon as a primary access control mechanism.

1. Immediate upgrade to SiYuan Note version 3.6.2 or later, where the vulnerability is patched. 2. Restrict network access to the publish service endpoint (/api/bookmark/getBookmark) to trusted users or internal networks only, using firewall rules or VPNs, until the patch can be applied. 3. Review and audit published documents for any sensitive bookmarked blocks that may have been exposed prior to patching. 4. Implement additional access controls or authentication layers in front of the publish service to prevent unauthorized access. 5. Educate users on the risks of relying solely on password protection within SiYuan Note and encourage use of complementary security measures such as encryption or role-based access controls. 6. Monitor logs and network traffic for unusual access patterns to the publish service that could indicate exploitation attempts. 7. If possible, disable the publish/read-only mode temporarily if it is not essential to operations until the patch is applied.