CVE-2026-40259

HIGH

SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API

Title source: cna

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.

References (2)

[X_Refsource_Confirm] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg

[X_Refsource_Misc] https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4

Scores

CVSS v3 8.1

EPSS 0.0003

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (3)

b3log/siyuan < 3.6.4

siyuan-note/siyuan < 0.0.0-20260407035653-2f416e5253f1

siyuan-note/siyuan < 3.6.4

Published Apr 16, 2026

Tracked Since Apr 17, 2026