Description

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.

INFO

Published Date :

2026-03-09T21:07:07.481Z

Last Modified :

2026-03-10T14:58:53.053Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30926 vulnerability.

Vendors Products
B3log
  • Siyuan
Siyuan
  • Siyuan
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30926.

URL Resource
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact