{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arbitrary-document-access/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["siyuan","arbitrary-document-access","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan, a note-taking application, is susceptible to an arbitrary document reading vulnerability within its publishing service. This flaw allows an unauthenticated attacker to bypass access controls and retrieve the content of any document, regardless of encryption or access restrictions. The vulnerability stems from inadequate authorization checks when accessing document content through specific API endpoints. The issue was reported on March 25, 2026, and is tracked as CVE-2026-33669. The vulnerable package is \u003ccode\u003ego/github.com/siyuan-note/siyuan/kernel\u003c/code\u003e, specifically versions equal to or older than \u003ccode\u003e0.0.0-20260317012524-fe4523fff2c8\u003c/code\u003e. This vulnerability poses a significant risk to organizations and individuals using SiYuan for sensitive data storage, potentially leading to unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SiYuan instance with the publishing service enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u003ccode\u003e/api/file/readDir\u003c/code\u003e endpoint to retrieve a list of document IDs. This endpoint lacks proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server responds with a list of document IDs available within the publishing service.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a target document ID from the list obtained in the previous step.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoint, providing the target document ID in the request body. This endpoint is intended to retrieve child blocks of a specific document.\u003c/li\u003e\n\u003cli\u003eDue to insufficient access control, the server processes the request and returns the content of the requested document, even if it is encrypted or restricted.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to extract the document content, which is typically formatted in Markdown.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat steps 4-7 to obtain the content of other documents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe arbitrary document reading vulnerability allows unauthorized access to potentially sensitive information stored within SiYuan. Successful exploitation could lead to the disclosure of confidential documents, intellectual property, personal data, or other restricted content. The impact is significant, as it bypasses intended security measures such as encryption and access controls. While specific victim numbers are unknown, any organization or individual utilizing the affected SiYuan version with the publishing service enabled is potentially at risk. The CVE is rated critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to a patched version that addresses CVE-2026-33669.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;SiYuan Arbitrary Document Access via getChildBlocks\u0026rdquo; to detect potential exploitation attempts targeting the \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoint in your web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, specifically POST requests to \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e with unusual document IDs or request patterns.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/api/file/readDir\u003c/code\u003e and \u003ccode\u003e/api/block/getChildBlocks\u003c/code\u003e endpoints to mitigate potential abuse.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and ensure all SiYuan instances are monitored by the logging solution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T19:37:18Z","date_published":"2026-03-25T19:37:18Z","id":"/briefs/2026-06-siyuan-arbitrary-doc-read/","summary":"SiYuan is vulnerable to arbitrary document reading via the publishing service, allowing attackers to retrieve document IDs and view the content of all documents, including encrypted or prohibited ones, by exploiting the `/api/file/readDir` and `/api/block/getChildBlocks` interfaces.","title":"SiYuan Arbitrary Document Reading Vulnerability in Publishing Service","url":"https://feed.craftedsignal.io/briefs/2026-06-siyuan-arbitrary-doc-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Arbitrary-Document-Access","version":"https://jsonfeed.org/version/1.1"}