CVE-2026-40259: CWE-285: Improper Authorization in siyuan-note siyuan
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.
AI Analysis
Technical Summary
CVE-2026-40259 is an improper authorization vulnerability (CWE-285) in the SiYuan personal knowledge management system. In versions 3.6.3 and earlier, the /api/av/removeUnusedAttributeView endpoint only requires generic authentication that accepts publish-service RoleReader tokens. The endpoint handler uses a caller-controlled id to delete attribute view files without verifying write privileges or whether the attribute view is unused. This allows an authenticated user with read-level tokens to delete arbitrary attribute views, leading to breakage of database views and workspace rendering until manual restoration. The vulnerability is resolved in version 3.6.4.
Potential Impact
An attacker with authenticated publish-service RoleReader tokens can permanently delete arbitrary attribute view definitions by exploiting this vulnerability. This results in broken database views and disrupted workspace rendering, impacting the integrity and availability of the user's knowledge management data until manual recovery is performed. There is no confidentiality impact reported. No known exploits in the wild have been documented.
Mitigation Recommendations
Upgrade to SiYuan version 3.6.4 or later, where this improper authorization vulnerability has been fixed. Until upgrading, restrict access to publish-service RoleReader tokens to trusted users only. Patch status is not explicitly stated beyond the fixed version; therefore, verify the vendor advisory for the latest remediation guidance.
CVE-2026-40259: CWE-285: Improper Authorization in siyuan-note siyuan
Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40259 is an improper authorization vulnerability (CWE-285) in the SiYuan personal knowledge management system. In versions 3.6.3 and earlier, the /api/av/removeUnusedAttributeView endpoint only requires generic authentication that accepts publish-service RoleReader tokens. The endpoint handler uses a caller-controlled id to delete attribute view files without verifying write privileges or whether the attribute view is unused. This allows an authenticated user with read-level tokens to delete arbitrary attribute views, leading to breakage of database views and workspace rendering until manual restoration. The vulnerability is resolved in version 3.6.4.
Potential Impact
An attacker with authenticated publish-service RoleReader tokens can permanently delete arbitrary attribute view definitions by exploiting this vulnerability. This results in broken database views and disrupted workspace rendering, impacting the integrity and availability of the user's knowledge management data until manual recovery is performed. There is no confidentiality impact reported. No known exploits in the wild have been documented.
Mitigation Recommendations
Upgrade to SiYuan version 3.6.4 or later, where this improper authorization vulnerability has been fixed. Until upgrading, restrict access to publish-service RoleReader tokens to trusted users only. Patch status is not explicitly stated beyond the fixed version; therefore, verify the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2142282d89c981fcd7ced
Added to database: 4/17/2026, 11:06:10 AM
Last enriched: 4/24/2026, 4:04:33 PM
Last updated: 6/2/2026, 1:14:32 AM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.