CVE-2026-32110: SiYuan has a Full-Read SSRF via /api/network/forwardProxy

March 12, 2026

The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.

References

github.com/advisories/GHSA-56cv-c5p2-j2wg
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg
nvd.nist.gov/vuln/detail/CVE-2026-32110

Code Behaviors & Features

Detect and mitigate CVE-2026-32110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →