CVE-2026-30869: SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage

March 7, 2026 (updated March 10, 2026)

A path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token, cookie signing key, and workspace access authentication code.

Leaking these secrets may enable administrative access to the SiYuan kernel API, and in certain deployment scenarios could potentially be chained into remote code execution (RCE).

References

github.com/advisories/GHSA-2h2p-mvfx-868w
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w
nvd.nist.gov/vuln/detail/CVE-2026-30869

Code Behaviors & Features

Detect and mitigate CVE-2026-30869 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →