Intelligence
criticalVulnerabilityActive

SiYuan Authorization Bypass: Unauthenticated SQL Execution via Inconsistent Middleware Chain

The `/api/search/fullTextSearchBlock` endpoint in SiYuan v3.6.0 bypasses role-based access controls present on other SQL endpoints, allowing any authenticated user (including read-only roles) to execute arbitrary SQL. This PoC proves the middleware chain inconsistency is exploitable in production deployments.

S
Sebastion

CVE References

CVE-2026-32767

Affected

SiYuan/SiYuan (<= 3.6.0)

Vulnerability Description

This is a middleware chain omission vulnerability resulting in broken access control (CWE-639). The /api/search/fullTextSearchBlock endpoint applies only CheckAuth middleware, verifying user identity but not enforcing role-based restrictions (CheckAdminRole) or read-only enforcement (CheckReadonly). When the method parameter equals 2, the endpoint passes unsanitized user input directly to SQLite, enabling unauthorized SQL execution (SELECT, INSERT, UPDATE, DELETE, DROP TABLE). The root cause is architectural inconsistency: the /api/query/sql endpoint correctly enforces the full middleware chain (CheckAuth → CheckAdminRole → CheckReadonly), yet the search API does not.

PoC Significance for Defenders

This disclosure proves that role-based access control can be bypassed through alternate API endpoints that perform equivalent operations without matching security controls. The PoC establishes:

  • Reliability: Authenticated access is guaranteed; the vulnerability is deterministic
  • Preconditions: Only valid user credentials required (no admin role needed)
  • Scope: Any authenticated user (Reader, Editor, Administrator) can escalate to full database control
  • Impact scope: Full database confidentiality, integrity, and availability compromise without audit trail separation by role

Detection Guidance

Log-based signatures:

  • Monitor POST requests to /api/search/fullTextSearchBlock with method=2 parameter
  • Detect SQL keywords (SELECT, INSERT, UPDATE, DELETE, DROP, CREATE) in request body payloads
  • Alert on requests from users with Reader role accessing this endpoint (baseline: should be editors/admins only)
  • Track unusual query patterns: queries accessing system tables (sqlite_master), administrative schemas, or multiple tables in sequence

Request patterns to flag:

  • Parameter method=2 combined with SQL clauses
  • Requests originating from reader-role accounts
  • Rapid sequential requests suggesting automated exploitation

Application-level detection:

  • Instrument the fullTextSearchBlock handler to log all SQL statements before execution
  • Flag non-SELECT operations (DML/DDL) in search context
  • Monitor database connection logs for unusual activity from the application process

Mitigation Steps

Immediate patch (code-level):

  1. Update kernel/api/router.go line 188 to match the protected endpoint:
ginServer.Handle("POST", "/api/search/fullTextSearchBlock", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, fullTextSearchBlock)
  1. Add input validation: whitelist method parameter values; reject method=2 for non-admin roles
  2. Implement parameterized queries or prepared statements for the method=2 code path
  3. Apply principle of least privilege: restrict the database user account to SELECT-only permissions for non-admin contexts

Temporary workarounds (pre-patch):

  • Disable the search API endpoint via reverse proxy WAF rules blocking /api/search/fullTextSearchBlock
  • Implement network-level access controls restricting the endpoint to administrator IP ranges
  • Revoke non-essential authenticated user accounts (Reader roles) until patch is deployed

Post-mitigation validation:

  • Audit all recent requests to the endpoint; identify and investigate suspicious queries
  • Review database transaction logs for unauthorized DDL/DML operations
  • Restore from backups if data tampering is suspected

Risk Assessment

Likelihood of exploitation: HIGH. The vulnerability requires only valid credentials (often abundant in team/organizational SiYuan deployments) and is trivial to exploit programmatically. SiYuan is a popular knowledge management tool in technical communities where malicious insiders or credential-compromised accounts are plausible threat vectors.

Threat actor interest: MODERATE-TO-HIGH. This enables rapid data exfiltration, destructive operations (database wiping), and persistent backdoors via stored procedures. State-sponsored actors and criminal syndicates targeting organizational knowledge bases would prioritize this for lateral movement.

Exploitation confidence: The PoC proves the vulnerability is reliable and requires no special conditions beyond authentication. Public disclosure increases exploitation velocity; defenders should prioritize patching within 24-72 hours.

Sources

pocauthorization-bypassprivilege-escalationsql-injectionmiddleware-bypassrole-based-access-control
Back to intelligence