Overview
CVE-2026-33670 is a critical path traversal vulnerability in SiYuan, an open-source personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface failed to restrict directory traversal, allowing unauthenticated attackers to enumerate the filenames of all documents stored under any notebook in the SiYuan data directory.
The vulnerability is assigned a CVSS v3.1 base score of 9.8 (Critical) and is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory — Path Traversal). It is published under GitHub Security Advisory GHSA-xmw9-6r43-x9ww.
This CVE was disclosed the same day as the closely related CVE-2026-33669, which exploits the same readDir interface to also expose full document content via a chained API call.
Technical Details
SiYuan runs a local HTTP server that backs its web-based interface. The /api/file/readDir endpoint is designed to list directory contents within SiYuan's data storage, but the implementation does not:
- Authenticate callers — any client with network access can call the endpoint
- Restrict the traversal path — the endpoint accepts caller-supplied path parameters and does not enforce containment within the SiYuan data directory
An attacker can supply crafted path parameters to traverse beyond the intended data boundaries and retrieve the filenames of all documents (.sy files) contained in any notebook. While this CVE specifically addresses filename enumeration, the information returned is directly usable in subsequent attacks — including content extraction via CVE-2026-33669 or targeted deletion/modification if write-capable endpoints are similarly unprotected.
What Does Enumeration Expose?
SiYuan document filenames follow the pattern YYYYMMDDHHMMSS-hash.sy (e.g., 20250317162531-abc123de.sy). While the filename itself is not the document's title, the traversal response may also expose:
- Full directory tree structure of the notebook
- Document hierarchy and folder organisation
- Document ID components needed for further API calls
This metadata can reveal the structure and scope of sensitive information stored in the knowledge base before an attacker proceeds to content extraction.
Affected Versions
| Software | Affected Versions | Fixed Version |
|---|---|---|
| SiYuan | All versions prior to 3.6.2 | 3.6.2 |
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CWE | CWE-22 (Path Traversal) |
Relationship to CVE-2026-33669
These two CVEs form a natural attack chain:
| CVE | Interface | Action |
|---|---|---|
| CVE-2026-33670 | /api/file/readDir | Traverse notebook directory, enumerate document filenames and IDs |
| CVE-2026-33669 | /api/block/getChildBlocks | Use enumerated IDs to read full document content |
Together, the two vulnerabilities enable complete, unauthenticated exfiltration of the entire SiYuan knowledge base. Both are fixed in version 3.6.2.
Exposure Context
Risk is highest for SiYuan instances deployed in network-accessible configurations:
- Server or NAS deployments with the SiYuan port reachable over LAN or internet
- Port-forwarded or reverse-proxied SiYuan instances
- Cloud VMs or containers with the SiYuan port exposed
- Shared office or campus networks where untrusted devices can reach the host
Local-only deployments (where SiYuan binds to 127.0.0.1 with no forwarding) are not directly exploitable from the network, though local privilege escalation or compromised applications on the same host could still trigger the vulnerability.
Patch & Mitigation
Primary fix: Upgrade to SiYuan version 3.6.2 or later. The patch adds proper path validation and authentication enforcement to the readDir endpoint.
Interim mitigations:
- Bind SiYuan to localhost — ensure the HTTP server listens only on
127.0.0.1:6806, not on0.0.0.0or a LAN-accessible interface. - Firewall the SiYuan port — block external access to port 6806 (or whichever port SiYuan is configured to use).
- Add an authentication layer if serving SiYuan remotely — use an authenticating reverse proxy (e.g., nginx with
auth_basic, Authelia, Authentik) in front of the SiYuan HTTP server. - Audit access logs for unexpected requests to
/api/file/readDirfrom non-localhost sources.
Recommendations
Any SiYuan deployment accessible beyond localhost should be considered compromised until:
- The instance is upgraded to version 3.6.2 or later
- Access logs are reviewed for evidence of traversal activity
- Stored documents containing sensitive information are assessed for potential exfiltration
Given that both CVE-2026-33670 and CVE-2026-33669 are low-complexity, zero-authentication vulnerabilities, treat any network-accessible pre-3.6.2 instance as fully compromised from a data confidentiality standpoint.