Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.

INFO

Published Date :

2026-04-16T22:49:36.992Z

Last Modified :

2026-04-16T22:50:20.441Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40259 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40259.

URL Resource
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4 cve-icon cve-icon
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact