CVE-2026-34453

moderate-risk
Published 2026-03-31

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.

Do I need to act?

~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

B3Log

References (4)

Issue Tracking https://github.com/siyuan-note/siyuan/issues/17246
Release Notes https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
Exploit https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q
Exploit https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c77m-r996-jr3q
38
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 7/34 · Low
Exposure 5/34 · Minimal