CVE-2026-33203

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-23 18:48

NVD link : CVE-2026-33203

Mitre link : CVE-2026-33203

CVE.ORG link : CVE-2026-33203

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-248

Uncaught Exception

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-33203", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T23:16:45.520", "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific \"auth keepalive\" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Antes de la versi\u00f3n 3.6.2, el servidor WebSocket del kernel de SiYuan acepta conexiones no autenticadas cuando un par\u00e1metro de consulta espec\u00edfico 'auth keepalive' est\u00e1 presente. Despu\u00e9s de la conexi\u00f3n, los mensajes entrantes se analizan utilizando aserciones de tipo no verificadas en JSON controlado por el atacante. Un atacante remoto puede enviar mensajes malformados que desencadenan un p\u00e1nico en tiempo de ejecuci\u00f3n, lo que podr\u00eda bloquear el proceso del kernel y causar una denegaci\u00f3n de servicio. La versi\u00f3n 3.6.2 corrige el problema."}], "lastModified": "2026-03-23T18:48:43.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9", "versionEndExcluding": "3.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}