{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attribute-deletion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40259"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SiYuan"],"_cs_severities":["high"],"_cs_tags":["siyuan","attribute-deletion","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":["SiYuan"],"content_html":"\u003cp\u003eSiYuan, an open-source personal knowledge management system, is susceptible to an unauthorized attribute view deletion vulnerability. Specifically, versions 3.6.3 and earlier are affected by CVE-2026-40259. The vulnerability resides in the \u003ccode\u003e/api/av/removeUnusedAttributeView\u003c/code\u003e endpoint. This endpoint is inadequately protected, relying solely on generic authentication that accepts publish-service RoleReader tokens. An attacker with a valid RoleReader token can exploit this flaw to permanently delete arbitrary attribute view definitions, causing data corruption. This issue was resolved in SiYuan version 3.6.4, underscoring the importance of promptly updating to the latest version. The scope of targeting includes any SiYuan instance running a vulnerable version, potentially affecting any user relying on the system for knowledge management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid publish-service RoleReader token for a SiYuan instance running version 3.6.3 or below.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the \u003ccode\u003edata-av-id\u003c/code\u003e value of a target attribute view from publicly exposed or accessible content within the SiYuan workspace.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/av/removeUnusedAttributeView\u003c/code\u003e endpoint, including the compromised RoleReader token for authentication.\u003c/li\u003e\n\u003cli\u003eThe POST request contains the target \u003ccode\u003edata-av-id\u003c/code\u003e value within the request body, specifically targeting a attribute view for deletion.\u003c/li\u003e\n\u003cli\u003eThe SiYuan server, failing to properly validate the attacker's privileges and the attribute view's usage, passes the attacker-controlled \u003ccode\u003edata-av-id\u003c/code\u003e directly to a model function.\u003c/li\u003e\n\u003cli\u003eThe model function unconditionally deletes the corresponding attribute view file from the workspace's storage.\u003c/li\u003e\n\u003cli\u003eAffected database views and the workspace rendering become broken or corrupted due to the missing attribute view definition.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective of disrupting the SiYuan instance by deleting arbitrary attribute view definitions, requiring manual restoration of the database and workspace.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40259 can lead to the permanent deletion of arbitrary attribute view definitions within a SiYuan workspace. This results in broken database views and workspace rendering, requiring manual intervention to restore functionality. While the specific number of potential victims is unknown, any organization or individual utilizing SiYuan versions 3.6.3 and below is vulnerable. The impact includes data integrity issues, service disruption, and potential data loss if backups are not available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all SiYuan installations to version 3.6.4 or later to remediate CVE-2026-40259.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;SiYuan Suspicious Attribute View Deletion\u0026quot; to detect potential exploitation attempts targeting the \u003ccode\u003e/api/av/removeUnusedAttributeView\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/av/removeUnusedAttributeView\u003c/code\u003e endpoint with unusual or unexpected \u003ccode\u003edata-av-id\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eReview and restrict publish-service RoleReader token permissions to minimize the potential impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-10T12:00:00Z","date_published":"2024-01-10T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-10-siyuan-attribute-deletion/","summary":"SiYuan versions 3.6.3 and below are vulnerable to unauthorized attribute view deletion via the /api/av/removeUnusedAttributeView endpoint, allowing authenticated users with publish-service RoleReader tokens to delete arbitrary attribute view definitions, leading to database view breakage and workspace rendering issues.","title":"SiYuan Unauthorized Attribute View Deletion Vulnerability (CVE-2026-40259)","url":"https://feed.craftedsignal.io/briefs/2024-01-10-siyuan-attribute-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Attribute-Deletion","version":"https://jsonfeed.org/version/1.1"}