CVE-2026-32815
SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass โ Unauthenticated Information Disclosure
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client โ including malicious websites via cross-origin WebSocket โ to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.
| CWE | CWE-287 |
| Vendor | siyuan-note |
| Product | siyuan |
| Published | Mar 19, 2026 |
| Last Updated | Mar 20, 2026 |
Get instant alerts for siyuan-note siyuan
Be the first to know when new unknown vulnerabilities affecting siyuan-note siyuan are published โ delivered to Slack, Telegram or Discord.