{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unauthorized_access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["siyuan"],"_cs_severities":["high"],"_cs_tags":["siyuan","misconfiguration","unauthorized_access","data_manipulation"],"_cs_type":"advisory","_cs_vendors":["siyuan-note"],"content_html":"\u003cp\u003eSiYuan is vulnerable to unauthorized modification of server-side state due to missing authorization checks on eight API endpoints: \u003ccode\u003e/api/graph/getGraph\u003c/code\u003e, \u003ccode\u003e/api/graph/getLocalGraph\u003c/code\u003e, \u003ccode\u003e/api/sync/setSyncInterval\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocViewTime\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocCloseTime\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocOpenTime\u003c/code\u003e, \u003ccode\u003e/api/storage/batchUpdateRecentDocCloseTime\u003c/code\u003e, and \u003ccode\u003e/api/search/updateEmbedBlock\u003c/code\u003e. These endpoints lack \u003ccode\u003emodel.CheckAdminRole\u003c/code\u003e and \u003ccode\u003emodel.CheckReadonly\u003c/code\u003e checks, allowing any authenticated user, including publish-service \u003ccode\u003eRoleReader\u003c/code\u003e and \u003ccode\u003eRoleEditor\u003c/code\u003e with \u003ccode\u003eEditor.ReadOnly = true\u003c/code\u003e, to write to the server. This can lead to atomic rewrites of the \u003ccode\u003e\u0026lt;workspace\u0026gt;/conf/conf.json\u003c/code\u003e file and modifications to the SQL index. This vulnerability affects all SiYuan versions up to and including v3.6.5. This is similar to previously patched vulnerabilities GHSA-6r88-8v7q-q4p2 and GHSA-4j3x-hhg2-fm2x, indicating a recurring pattern of missing authorization checks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the SiYuan application, obtaining a JWT that passes \u003ccode\u003eCheckAuth\u003c/code\u003e. This can be as a publish-service \u003ccode\u003eRoleReader\u003c/code\u003e (anonymous publish visitor) or a \u003ccode\u003eRoleEditor\u003c/code\u003e against a workspace where \u003ccode\u003eEditor.ReadOnly = true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to \u003ccode\u003e/api/sync/setSyncInterval\u003c/code\u003e with a crafted JSON payload containing a malicious interval value (e.g., 30 or 43200).\u003c/li\u003e\n\u003cli\u003eThe server receives the request and updates the \u003ccode\u003eConf.Sync.Interval\u003c/code\u003e value based on the attacker-provided interval, persisting the change to \u003ccode\u003econf.json\u003c/code\u003e via \u003ccode\u003eConf.Save()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to \u003ccode\u003e/api/graph/getGraph\u003c/code\u003e with a crafted JSON payload containing a malicious graph configuration.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and overwrites \u003ccode\u003emodel.Conf.Graph.Global\u003c/code\u003e from the attacker-supplied JSON and persists the entire workspace \u003ccode\u003econf.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to \u003ccode\u003e/api/search/updateEmbedBlock\u003c/code\u003e with a crafted JSON payload, specifying an embed-block ID and malicious content.\u003c/li\u003e\n\u003cli\u003eThe server receives the request and updates the \u003ccode\u003eblocks\u003c/code\u003e table in the SQL database, rewriting the \u003ccode\u003econtent\u003c/code\u003e column for the specified embed-block ID.\u003c/li\u003e\n\u003cli\u003eOther users accessing the SiYuan application will now see the poisoned content when the embedded block is displayed or searched.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthorized users to modify the SiYuan configuration and data, potentially leading to denial-of-service, data corruption, and information disclosure. Specifically, attackers can:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eCause a denial-of-service by setting a minimal cloud sync interval (30 seconds), causing excessive battery drain and bandwidth consumption on connected clients.\u003c/li\u003e\n\u003cli\u003eEffectively pause cloud sync by setting a maximal sync interval (43200 seconds), increasing the risk of data divergence.\u003c/li\u003e\n\u003cli\u003eCorrupt graph rendering by providing extreme values for \u003ccode\u003emaxBlocks\u003c/code\u003e, \u003ccode\u003eminRefs\u003c/code\u003e, or \u003ccode\u003enodeSize\u003c/code\u003e in the \u003ccode\u003e/api/graph/getGraph\u003c/code\u003e or \u003ccode\u003e/api/graph/getLocalGraph\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003ePoison search results by injecting malicious content into embed blocks via the \u003ccode\u003e/api/search/updateEmbedBlock\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eManipulate the admin\u0026rsquo;s recently-opened-documents list, potentially disclosing information about publish-private notebooks via the \u003ccode\u003eupdateRecentDoc*\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SiYuan Unauthorized Sync Interval Modification\u0026rdquo; to monitor for unauthorized modifications to the sync interval using the \u003ccode\u003e/api/sync/setSyncInterval\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SiYuan Unauthorized Graph Configuration Modification\u0026rdquo; to monitor for unauthorized modifications to the graph configuration using the \u003ccode\u003e/api/graph/getGraph\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply the patch described in the advisory by adding \u003ccode\u003emodel.CheckAdminRole\u003c/code\u003e and \u003ccode\u003emodel.CheckReadonly\u003c/code\u003e to the affected \u003ccode\u003eginServer.Handle\u003c/code\u003e calls in \u003ccode\u003ekernel/api/router.go\u003c/code\u003e to restrict access to these API endpoints to authorized users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the listed API endpoints (\u003ccode\u003e/api/graph/getGraph\u003c/code\u003e, \u003ccode\u003e/api/graph/getLocalGraph\u003c/code\u003e, \u003ccode\u003e/api/sync/setSyncInterval\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocViewTime\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocCloseTime\u003c/code\u003e, \u003ccode\u003e/api/storage/updateRecentDocOpenTime\u003c/code\u003e, \u003ccode\u003e/api/storage/batchUpdateRecentDocCloseTime\u003c/code\u003e, \u003ccode\u003e/api/search/updateEmbedBlock\u003c/code\u003e) without corresponding administrative actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:36:24Z","date_published":"2026-05-13T15:36:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siyuan-publish-mode-reader-mutation/","summary":"SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs, leading to configuration changes, denial of service, data corruption, and information disclosure by manipulating cloud sync intervals, graph configurations, SQL block content, and recent-documents lists.","title":"SiYuan Publish-Mode Reader Configuration and Index Mutation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-siyuan-publish-mode-reader-mutation/"}],"language":"en","title":"CraftedSignal Threat Feed — Unauthorized_access","version":"https://jsonfeed.org/version/1.1"}