CVE-2026-32767

{"id": "CVE-2026-32767", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T01:15:55.597", "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/issues/17209", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user \u2014 including those with the Reader role \u2014 to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n en el endpoint /api/search/fullTextSearchBlock. Cuando el par\u00e1metro method se establece en 2, el endpoint pasa la entrada proporcionada por el usuario directamente como una sentencia SQL sin procesar a la base de datos SQLite subyacente sin ninguna autorizaci\u00f3n ni comprobaci\u00f3n de solo lectura. Esto permite a cualquier usuario autenticado \u2014 incluidos aquellos con el rol de Lector \u2014 ejecutar sentencias SQL arbitrarias (SELECT, DELETE, UPDATE, DROP TABLE, etc.) contra la base de datos de la aplicaci\u00f3n. Esto es inconsistente con el propio modelo de seguridad de la aplicaci\u00f3n: el endpoint SQL dedicado (/api/query/sql) requiere correctamente el middleware CheckAdminRole y CheckReadonly, pero el endpoint de b\u00fasqueda omite estos controles por completo. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."}], "lastModified": "2026-03-23T15:23:44.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780", "versionEndExcluding": "3.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}