CVE-2026-29073: SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
(updated )
/api/query/sql allows users to run SQL directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any SQL query on the database.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-29073 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →