CVE-2026-30926

HIGH 7.1

SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish users with read-only privileges to append new blocks to existing documents, compromising the integrity of stored notes.

CWE	CWE-284 CWE-862
Vendor	siyuan-note
Product	siyuan
Published	Mar 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for siyuan-note siyuan

Be the first to know when new high vulnerabilities affecting siyuan-note siyuan are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Affected Versions

siyuan-note / siyuan

< 3.5.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523