{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/siyuan-note--v3.6.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-54069"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SiYuan Note (\u003c= v3.6.5)","SiYuan Kernel HTTP Server"],"_cs_severities":["critical"],"_cs_tags":["web-vulnerability","privilege-escalation","data-exfiltration","xss","supply-chain","desktop-application","chrome-extension","siyuan"],"_cs_type":"advisory","_cs_vendors":["SiYuan"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-54069) has been identified in SiYuan Note's kernel HTTP server (versions \u0026lt;= v3.6.5). The server unconditionally trusts all \u003ccode\u003echrome-extension://\u003c/code\u003e origins, granting \u003ccode\u003eRoleAdministrator\u003c/code\u003e access to every installed browser extension without any authentication. This oversight, combined with an empty default \u003ccode\u003eAccessAuthCode\u003c/code\u003e on desktop installations, means any Chrome or Chromium extension, including those with minimal permissions or a legitimately compromised one, can make fully authenticated admin API calls to the SiYuan kernel running on \u003ccode\u003e127.0.0.1:6806\u003c/code\u003e. This allows attackers to exfiltrate sensitive workspace data, inject persistent cross-site scripting (XSS) payloads into notes, and tamper with SiYuan's configuration, potentially leading to further compromise or data loss. The vulnerability acts as a privilege escalation and an initial access vector into the SiYuan application for malicious extensions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs a malicious or compromised Chrome/Chromium browser extension. The extension requires no special \u003ccode\u003ehost_permissions\u003c/code\u003e as the SiYuan kernel is accessible via localhost.\u003c/li\u003e\n\u003cli\u003eThe browser extension, executing its \u003ccode\u003ebg.js\u003c/code\u003e background script, initiates HTTP POST requests to the SiYuan kernel's API endpoint, typically \u003ccode\u003ehttp://127.0.0.1:6806\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SiYuan kernel's \u003ccode\u003eCheckAuth\u003c/code\u003e middleware identifies the \u003ccode\u003eOrigin\u003c/code\u003e header as \u003ccode\u003echrome-extension://\u003c/code\u003e and unconditionally bypasses authentication.\u003c/li\u003e\n\u003cli\u003eThe SiYuan kernel assigns \u003ccode\u003eRoleAdministrator\u003c/code\u003e to the incoming request, effectively granting full administrative control to the extension.\u003c/li\u003e\n\u003cli\u003eThe malicious extension makes API calls such as \u003ccode\u003e/api/system/getConf\u003c/code\u003e to verify its administrative access.\u003c/li\u003e\n\u003cli\u003eThe extension then exploits its administrative access to perform actions like data exfiltration using \u003ccode\u003e/api/query/sql\u003c/code\u003e to extract the entire workspace or inject stored XSS payloads into notes via \u003ccode\u003e/api/block/insertBlock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFurther impact can include configuration tampering via \u003ccode\u003e/api/system/setConf\u003c/code\u003e, potentially leading to persistence or expanded attack surface.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves data exfiltration, persistent code execution via XSS, or other destructive actions within the SiYuan application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability (CVE-2026-54069) allows for full administrative control over the SiYuan Note kernel by any installed Chrome/Chromium extension. Successful exploitation enables unauthenticated data exfiltration of the entire workspace, including sensitive notes and documents, through APIs like \u003ccode\u003e/api/query/sql\u003c/code\u003e. Attackers can also inject stored XSS payloads into user notes, leading to persistent client-side code execution within the SiYuan application and potential session hijacking or further data compromise. Configuration tampering is possible via \u003ccode\u003e/api/system/setConf\u003c/code\u003e, which could be used to establish persistence or degrade the application's security. This vulnerability represents a significant supply chain risk, as a single compromised popular browser extension could silently affect a wide user base of SiYuan desktop users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54069 by upgrading SiYuan Note to a version beyond \u003ccode\u003ev3.6.5\u003c/code\u003e that contains the fix for the blanket \u003ccode\u003echrome-extension://\u003c/code\u003e allowlist.\u003c/li\u003e\n\u003cli\u003eImplement host-based intrusion detection system (HIDS) rules to alert on suspicious network connections originating from browser processes (e.g., \u003ccode\u003echrome.exe\u003c/code\u003e, \u003ccode\u003emsedge.exe\u003c/code\u003e) to \u003ccode\u003e127.0.0.1\u003c/code\u003e on port \u003ccode\u003e6806\u003c/code\u003e, as detailed in the Sigma rule below.\u003c/li\u003e\n\u003cli\u003eReview web server or proxy logs (if applicable and configured to intercept loopback traffic) for HTTP POST requests to \u003ccode\u003e/api/query/sql\u003c/code\u003e, \u003ccode\u003e/api/block/insertBlock\u003c/code\u003e, or \u003ccode\u003e/api/system/setConf\u003c/code\u003e on \u003ccode\u003e127.0.0.1:6806\u003c/code\u003e with \u003ccode\u003eOrigin\u003c/code\u003e headers starting with \u003ccode\u003echrome-extension://\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual activity related to the SiYuan application, such as unexpected file modifications or API calls, which may indicate configuration tampering or data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:38:31Z","date_published":"2026-07-10T19:38:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-siyuan-unauthenticated-admin-api-access/","summary":"A critical vulnerability (CVE-2026-54069) in SiYuan Note kernel's HTTP server allows any Chrome/Chromium browser extension to gain unauthenticated RoleAdministrator access, enabling data exfiltration, stored XSS injection, and configuration tampering for SiYuan desktop users, including via compromised legitimate extensions.","title":"SiYuan Unauthenticated Admin API Access via Chrome Extension Allowlist","url":"https://feed.craftedsignal.io/briefs/2026-07-siyuan-unauthenticated-admin-api-access/"}],"language":"en","title":"CraftedSignal Threat Feed - SiYuan Note (\u003c= V3.6.5)","version":"https://jsonfeed.org/version/1.1"}