CVE-2026-34453 HIGH

CVE-2026-34453: SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content

Vendor Siyuan-Note

Product siyuan

Weakness CWE-863 · Incorrect authorization

Published March 31, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). Because the filter treats a nil context as authorized, it skips the publish password check and returns bookmarked blocks from documents configured as Protected. As a result, anyone who can access the publish service can retrieve content from protected documents without providing the required password, as long as at least one block in the document is bookmarked. This issue has been patched in version 3.6.2.

Key dates

02Disclosure timeline

March 31, 2026 CVE published

April 1, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34453

Related vulnerabilities

CVE-2026-34453: SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content

01Description

02Disclosure timeline

03References

04Related CVE