CVE-2026-32815: SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
(updated )
SiYuan’s WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users.
Combined with the absence of Origin header validation, a malicious website can silently connect to a victim’s local SiYuan instance and monitor their note-taking activity.
References
- github.com/advisories/GHSA-xp2m-98x8-rpj6
- github.com/siyuan-note/siyuan
- github.com/siyuan-note/siyuan/commit/1e370e37359778c0932673e825182ff555b504a3
- github.com/siyuan-note/siyuan/releases/tag/v3.6.1
- github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6
- nvd.nist.gov/vuln/detail/CVE-2026-32815
Code Behaviors & Features
Detect and mitigate CVE-2026-32815 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →