CVE-2026-40259: CWE-285: Improper Authorization in siyuan-note siyuan
CVE-2026-40259 is a high-severity improper authorization vulnerability in the SiYuan personal knowledge management system versions 3. 6. 3 and below. The /api/av/removeUnusedAttributeView endpoint only requires generic authentication that accepts publish-service RoleReader tokens, allowing an authenticated reader to delete attribute view definitions without proper write privileges. This can cause permanent deletion of arbitrary attribute views, leading to breakage of database views and workspace rendering until manually restored. The issue is fixed in version 3. 6. 4.
AI Analysis
Technical Summary
SiYuan versions 3.6.3 and earlier have an improper authorization vulnerability (CWE-285) in the /api/av/removeUnusedAttributeView endpoint. The endpoint accepts requests authenticated with publish-service RoleReader tokens, which are intended for read-only access. However, the endpoint passes a caller-controlled id directly to a model function that deletes the corresponding attribute view file without verifying write permissions or whether the attribute view is unused. This allows an authenticated reader to delete arbitrary attribute views by extracting data-av-id values from published content, causing disruption in database views and workspace rendering. The vulnerability is resolved in version 3.6.4.
Potential Impact
An authenticated user with publish-service RoleReader privileges can delete arbitrary attribute view definitions, causing breakage of database views and workspace rendering. This results in denial of availability of certain workspace features until the deleted views are manually restored. There is no impact on confidentiality, but integrity and availability are affected.
Mitigation Recommendations
Upgrade SiYuan to version 3.6.4 or later, where this vulnerability is fixed. Since no official patch link or temporary fix is provided, updating to the fixed version is the recommended remediation. Users should verify that they are not running affected versions and apply the update promptly.
CVE-2026-40259: CWE-285: Improper Authorization in siyuan-note siyuan
Description
CVE-2026-40259 is a high-severity improper authorization vulnerability in the SiYuan personal knowledge management system versions 3. 6. 3 and below. The /api/av/removeUnusedAttributeView endpoint only requires generic authentication that accepts publish-service RoleReader tokens, allowing an authenticated reader to delete attribute view definitions without proper write privileges. This can cause permanent deletion of arbitrary attribute views, leading to breakage of database views and workspace rendering until manually restored. The issue is fixed in version 3. 6. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions 3.6.3 and earlier have an improper authorization vulnerability (CWE-285) in the /api/av/removeUnusedAttributeView endpoint. The endpoint accepts requests authenticated with publish-service RoleReader tokens, which are intended for read-only access. However, the endpoint passes a caller-controlled id directly to a model function that deletes the corresponding attribute view file without verifying write permissions or whether the attribute view is unused. This allows an authenticated reader to delete arbitrary attribute views by extracting data-av-id values from published content, causing disruption in database views and workspace rendering. The vulnerability is resolved in version 3.6.4.
Potential Impact
An authenticated user with publish-service RoleReader privileges can delete arbitrary attribute view definitions, causing breakage of database views and workspace rendering. This results in denial of availability of certain workspace features until the deleted views are manually restored. There is no impact on confidentiality, but integrity and availability are affected.
Mitigation Recommendations
Upgrade SiYuan to version 3.6.4 or later, where this vulnerability is fixed. Since no official patch link or temporary fix is provided, updating to the fixed version is the recommended remediation. Users should verify that they are not running affected versions and apply the update promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2142282d89c981fcd7ced
Added to database: 4/17/2026, 11:06:10 AM
Last enriched: 4/17/2026, 11:07:39 AM
Last updated: 4/17/2026, 12:08:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.