Security Advisory

CVE-2026-32815

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-19 21:39:31
Last updated 2026-03-20 20:22:46
Assigner GitHub_M
State PUBLISHED

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victims local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.