<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SiYuan Note (&lt;= V3.6.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/siyuan-note--v3.6.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:38:31 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/siyuan-note--v3.6.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>SiYuan Unauthenticated Admin API Access via Chrome Extension Allowlist</title><link>https://feed.craftedsignal.io/briefs/2026-07-siyuan-unauthenticated-admin-api-access/</link><pubDate>Fri, 10 Jul 2026 19:38:31 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-siyuan-unauthenticated-admin-api-access/</guid><description>A critical vulnerability (CVE-2026-54069) in SiYuan Note kernel's HTTP server allows any Chrome/Chromium browser extension to gain unauthenticated RoleAdministrator access, enabling data exfiltration, stored XSS injection, and configuration tampering for SiYuan desktop users, including via compromised legitimate extensions.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-54069) has been identified in SiYuan Note's kernel HTTP server (versions &lt;= v3.6.5). The server unconditionally trusts all <code>chrome-extension://</code> origins, granting <code>RoleAdministrator</code> access to every installed browser extension without any authentication. This oversight, combined with an empty default <code>AccessAuthCode</code> on desktop installations, means any Chrome or Chromium extension, including those with minimal permissions or a legitimately compromised one, can make fully authenticated admin API calls to the SiYuan kernel running on <code>127.0.0.1:6806</code>. This allows attackers to exfiltrate sensitive workspace data, inject persistent cross-site scripting (XSS) payloads into notes, and tamper with SiYuan's configuration, potentially leading to further compromise or data loss. The vulnerability acts as a privilege escalation and an initial access vector into the SiYuan application for malicious extensions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user installs a malicious or compromised Chrome/Chromium browser extension. The extension requires no special <code>host_permissions</code> as the SiYuan kernel is accessible via localhost.</li>
<li>The browser extension, executing its <code>bg.js</code> background script, initiates HTTP POST requests to the SiYuan kernel's API endpoint, typically <code>http://127.0.0.1:6806</code>.</li>
<li>The SiYuan kernel's <code>CheckAuth</code> middleware identifies the <code>Origin</code> header as <code>chrome-extension://</code> and unconditionally bypasses authentication.</li>
<li>The SiYuan kernel assigns <code>RoleAdministrator</code> to the incoming request, effectively granting full administrative control to the extension.</li>
<li>The malicious extension makes API calls such as <code>/api/system/getConf</code> to verify its administrative access.</li>
<li>The extension then exploits its administrative access to perform actions like data exfiltration using <code>/api/query/sql</code> to extract the entire workspace or inject stored XSS payloads into notes via <code>/api/block/insertBlock</code>.</li>
<li>Further impact can include configuration tampering via <code>/api/system/setConf</code>, potentially leading to persistence or expanded attack surface.</li>
<li>The attacker achieves data exfiltration, persistent code execution via XSS, or other destructive actions within the SiYuan application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability (CVE-2026-54069) allows for full administrative control over the SiYuan Note kernel by any installed Chrome/Chromium extension. Successful exploitation enables unauthenticated data exfiltration of the entire workspace, including sensitive notes and documents, through APIs like <code>/api/query/sql</code>. Attackers can also inject stored XSS payloads into user notes, leading to persistent client-side code execution within the SiYuan application and potential session hijacking or further data compromise. Configuration tampering is possible via <code>/api/system/setConf</code>, which could be used to establish persistence or degrade the application's security. This vulnerability represents a significant supply chain risk, as a single compromised popular browser extension could silently affect a wide user base of SiYuan desktop users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54069 by upgrading SiYuan Note to a version beyond <code>v3.6.5</code> that contains the fix for the blanket <code>chrome-extension://</code> allowlist.</li>
<li>Implement host-based intrusion detection system (HIDS) rules to alert on suspicious network connections originating from browser processes (e.g., <code>chrome.exe</code>, <code>msedge.exe</code>) to <code>127.0.0.1</code> on port <code>6806</code>, as detailed in the Sigma rule below.</li>
<li>Review web server or proxy logs (if applicable and configured to intercept loopback traffic) for HTTP POST requests to <code>/api/query/sql</code>, <code>/api/block/insertBlock</code>, or <code>/api/system/setConf</code> on <code>127.0.0.1:6806</code> with <code>Origin</code> headers starting with <code>chrome-extension://</code>.</li>
<li>Monitor for unusual activity related to the SiYuan application, such as unexpected file modifications or API calls, which may indicate configuration tampering or data exfiltration.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-vulnerability</category><category>privilege-escalation</category><category>data-exfiltration</category><category>xss</category><category>supply-chain</category><category>desktop-application</category><category>chrome-extension</category><category>siyuan</category></item></channel></rss>