CVE-2026-32767
- Source
- https://cve.org/CVERecord?id=CVE-2026-32767
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32767.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32767
- Aliases
- Downstream
- Related
- Published
- 2026-03-20T00:13:31.384Z
- Modified
- 2026-04-02T13:26:33.407515Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
- Details
-
SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the Reader role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database. This is inconsistent with the application's own security model: the dedicated SQL endpoint (/api/query/sql) correctly requires both CheckAdminRole and CheckReadonly middleware, but the search endpoint bypasses these controls entirely. This issue has been fixed in version 3.6.1.
- Database specific
{ "cwe_ids": [ "CWE-863", "CWE-89" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32767.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32767.json
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7
- https://nvd.nist.gov/vuln/detail/CVE-2026-32767
- https://github.com/siyuan-note/siyuan/issues/17209
- https://github.com/siyuan-note/siyuan/commit/d5e2d0bce0dffef5f61bd8066954bc2d41181fc5
Affected packages
Git / github.com/siyuan-note/siyuan
Affected ranges
- Type
- GIT
- Repo
- https://github.com/siyuan-note/siyuan
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/siyuan-note/siyuan
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
dev2.*
dev2.0.17-1
dev2.0.17-2
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.1-x2
v0.4.2
v0.4.3
v0.4.3-x1
v0.4.32
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.4.91
v0.4.92
v0.4.93
v0.4.94
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.41
v0.5.42
v0.5.43
v0.5.44
v0.5.45
v0.5.46
v0.5.5
v0.5.6
v0.5.6-alpha1
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.7.0
v0.7.1
v0.7.5
v0.7.8
v0.8.0
v0.8.5
v0.9.0
v0.9.2
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.81
v1.1.82
v1.1.83
v1.2.0
v1.2.0-beta1
v1.2.0-beta10
v1.2.0-beta11
v1.2.0-beta12
v1.2.0-beta13
v1.2.0-beta14
v1.2.0-beta15
v1.2.0-beta16
v1.2.0-beta2
v1.2.0-beta3
v1.2.0-beta4
v1.2.0-beta5
v1.2.0-beta6
v1.2.0-beta7
v1.2.0-beta8
v1.2.0-beta9
v1.2.0-rc1
v1.2.0-rc2
v1.2.0-rc3
v1.2.1
v1.2.2
v1.2.3
v1.2.31
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.5-beta1
v1.5.5-beta2
v1.5.5-beta3
v1.5.6
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.1
v1.8.2
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v2.*
v2.0.0
v2.0.0-beta1
v2.0.0-beta2
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.15-dev1
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.20-dev1
v2.0.21
v2.0.21-dev1
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.26-dev1
v2.0.26-dev2
v2.0.27
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.0-dev1
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.2
v2.1.3
v2.1.3-dev1
v2.1.4
v2.1.5
v2.1.6
v2.1.6-dev1
v2.1.7
v2.1.8
v2.1.8-dev1
v2.1.9
v2.10.0
v2.10.1
v2.10.1-dev1
v2.10.10
v2.10.10-dev1
v2.10.11
v2.10.11-dev1
v2.10.11-dev2
v2.10.11-dev3
v2.10.12
v2.10.12-dev1
v2.10.12-dev2
v2.10.13
v2.10.13-dev1
v2.10.13-dev2
v2.10.13-dev3
v2.10.13-dev4
v2.10.13-dev5
v2.10.14
v2.10.14-dev1
v2.10.14-dev2
v2.10.15
v2.10.15-dev1
v2.10.15-dev2
v2.10.15-dev3
v2.10.16
v2.10.16-dev1
v2.10.16-dev2
v2.10.16-dev3
v2.10.2
v2.10.2-dev1
v2.10.3
v2.10.3-dev1
v2.10.3-dev2
v2.10.3-dev3
v2.10.4
v2.10.4-dev1
v2.10.4-dev2
v2.10.4-dev3
v2.10.5
v2.10.5-dev1
v2.10.5-dev2
v2.10.6
v2.10.6-dev1
v2.10.6-dev2
v2.10.6-dev3
v2.10.6-dev4
v2.10.7
v2.10.8
v2.10.8-dev1
v2.10.8-dev2
v2.10.8-dev3
v2.10.9
v2.10.9-dev1
v2.10.9-dev2
v2.10.9-dev3
v2.10.9-dev4
v2.10.9-dev5
v2.11.0
v2.11.0-dev1
v2.11.0-dev2
v2.11.0-dev3
v2.11.1
v2.11.1-dev1
v2.11.1-dev2
v2.11.1-dev3
v2.11.2
v2.11.2-dev1
v2.11.2-dev2
v2.11.2-dev3
v2.11.2-dev4
v2.11.2-dev5
v2.11.2-dev6
v2.11.3
v2.11.3-dev1
v2.11.3-dev2
v2.11.4
v2.11.4-dev1
v2.11.4-dev2
v2.11.4-dev3
v2.11.4-dev4
v2.11.4-dev5
v2.11.4-dev6
v2.12.0
v2.12.0-dev1
v2.12.1
v2.12.1-dev1
v2.12.1-dev2
v2.12.1-dev3
v2.12.2
v2.12.3
v2.12.3-dev1
v2.12.3-dev2
v2.12.3-dev3
v2.12.4
v2.12.4-dev1
v2.12.4-dev2
v2.12.5
v2.12.6
v2.12.6-dev1
v2.12.7
v2.12.7-dev1
v2.12.7-dev2
v2.12.8
v2.12.8-dev1
v2.12.8-dev2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.12
v2.4.12-dev1
v2.4.12-dev2
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.0-dev1
v2.5.0-dev2
v2.5.1
v2.5.1-dev1
v2.5.1-dev2
v2.5.1-dev3
v2.5.1-dev4
v2.5.1-dev5
v2.5.2
v2.5.2-dev1
v2.5.2-dev2
v2.5.2-dev3
v2.5.3
v2.5.3-dev1
v2.5.3-dev2
v2.5.4
v2.5.4-dev1
v2.5.4-dev2
v2.5.5
v2.5.5-dev1
v2.6.0
v2.6.0-dev1
v2.6.0-dev2
v2.6.0-dev3
v2.6.1
v2.6.1-dev1
v2.6.1-dev2
v2.6.1-dev3
v2.6.1-dev4
v2.6.1-dev5
v2.6.1-dev6
v2.6.1-dev7
v2.6.2
v2.6.3
v2.6.3-dev1
v2.6.3-dev2
v2.6.3-dev3
v2.6.3-dev4
v2.6.3-dev5
v2.6.3-dev6
v2.7.0
v2.7.0-dev1
v2.7.0-dev2
v2.7.1
v2.7.1-dev1
v2.7.1-dev2
v2.7.1-dev3
v2.7.1-dev4
v2.7.1-dev5
v2.7.10
v2.7.2
v2.7.2-dev1
v2.7.2-dev2
v2.7.2-dev3
v2.7.3
v2.7.3-dev1
v2.7.3-dev2
v2.7.3-dev3
v2.7.3-dev4
v2.7.4
v2.7.4-dev1
v2.7.5
v2.7.5-dev1
v2.7.5-dev2
v2.7.6
v2.7.6-dev1
v2.7.6-dev2
v2.7.6-dev3
v2.7.6-dev4
v2.7.6-dev5
v2.7.7
v2.7.7-dev1
v2.7.7-dev2
v2.7.7-dev3
v2.7.7-dev4
v2.7.8
v2.7.8-dev1
v2.7.9
v2.7.9-dev1
v2.7.9-dev2
v2.8.0
v2.8.0-dev1
v2.8.0-dev2
v2.8.0-dev3
v2.8.1
v2.8.1-dev1
v2.8.1-dev2
v2.8.1-dev3
v2.8.10
v2.8.10-dev1
v2.8.10-dev2
v2.8.10-dev3
v2.8.10-dev4
v2.8.10-dev5
v2.8.2
v2.8.2-dev1
v2.8.2-dev2
v2.8.3
v2.8.3-dev1
v2.8.4
v2.8.4-dev1
v2.8.4-dev2
v2.8.5
v2.8.5-dev1
v2.8.5-dev2
v2.8.5-dev3
v2.8.6
v2.8.6-dev1
v2.8.6-dev2
v2.8.6-dev3
v2.8.6-dev4
v2.8.7
v2.8.7-dev1
v2.8.7-dev2
v2.8.7-dev3
v2.8.7-dev4
v2.8.7-dev5
v2.8.8
v2.8.8-dev1
v2.8.8-dev2
v2.8.8-dev3
v2.8.9
v2.8.9-dev1
v2.8.9-dev2
v2.8.9-dev3
v2.9.0
v2.9.0-dev1
v2.9.0-dev2
v2.9.1
v2.9.1-dev1
v2.9.1-dev2
v2.9.2
v2.9.2-dev1
v2.9.2-dev2
v2.9.2-dev3
v2.9.3
v2.9.3-dev1
v2.9.3-dev2
v2.9.3-dev3
v2.9.3-dev4
v2.9.4
v2.9.4-dev1
v2.9.4-dev2
v2.9.5
v2.9.5-dev1
v2.9.5-dev2
v2.9.6
v2.9.6-dev1
v2.9.7
v2.9.7-dev1
v2.9.7-dev2
v2.9.7-dev3
v2.9.8
v2.9.8-dev1
v2.9.8-dev2
v2.9.9
v2.9.9-dev1
v2.9.9-dev2
Other
v202205311650-dev
v3.*
v3.0.0
v3.0.0-dev1
v3.0.0-dev2
v3.0.1
v3.0.1-dev1
v3.0.1-dev2
v3.0.10
v3.0.10-dev1
v3.0.10-dev2
v3.0.10-dev3
v3.0.10-dev4
v3.0.10-dev5
v3.0.11
v3.0.11-dev1
v3.0.11-dev2
v3.0.11-dev3
v3.0.12
v3.0.12-dev1
v3.0.12-dev2
v3.0.12-dev3
v3.0.12-dev4
v3.0.12-dev5
v3.0.13
v3.0.13-dev1
v3.0.13-dev2
v3.0.13-dev3
v3.0.13-dev4
v3.0.14
v3.0.14-dev1
v3.0.14-dev2
v3.0.15
v3.0.15-dev1
v3.0.15-dev2
v3.0.16
v3.0.16-dev1
v3.0.16-dev2
v3.0.16-dev3
v3.0.17
v3.0.17-dev1
v3.0.17-dev2
v3.0.2
v3.0.2-dev1
v3.0.2-dev2
v3.0.3
v3.0.3-dev1
v3.0.3-dev2
v3.0.3-dev3
v3.0.3-dev4
v3.0.3-dev5
v3.0.3-dev6
v3.0.3-dev7
v3.0.4
v3.0.4-dev1
v3.0.4-dev2
v3.0.4-dev3
v3.0.5
v3.0.5-dev1
v3.0.5-dev2
v3.0.5-dev3
v3.0.5-dev4
v3.0.5-dev5
v3.0.6
v3.0.6-dev1
v3.0.6-dev2
v3.0.6-dev3
v3.0.7
v3.0.7-dev1
v3.0.8
v3.0.8-dev1
v3.0.8-dev2
v3.0.9
v3.1.0
v3.1.0-dev1
v3.1.0-dev10
v3.1.0-dev11
v3.1.0-dev12
v3.1.0-dev2
v3.1.0-dev3
v3.1.0-dev4
v3.1.0-dev5
v3.1.0-dev6
v3.1.0-dev7
v3.1.0-dev8
v3.1.0-dev9
v3.1.1
v3.1.1-dev1
v3.1.1-dev2
v3.1.10
v3.1.10-dev1
v3.1.10-dev2
v3.1.10-dev3
v3.1.10-dev4
v3.1.10-dev5
v3.1.10-dev6
v3.1.11
v3.1.11-dev1
v3.1.11-dev10
v3.1.11-dev11
v3.1.11-dev2
v3.1.11-dev3
v3.1.11-dev4
v3.1.11-dev5
v3.1.11-dev6
v3.1.11-dev7
v3.1.11-dev8
v3.1.11-dev9
v3.1.12
v3.1.12-dev1
v3.1.12-dev2
v3.1.12-dev3
v3.1.12-dev4
v3.1.12-dev5
v3.1.12-dev6
v3.1.13
v3.1.14
v3.1.14-dev1
v3.1.14-dev2
v3.1.14-dev3
v3.1.14-dev4
v3.1.14-dev5
v3.1.14-dev6
v3.1.14-dev7
v3.1.15
v3.1.15-dev1
v3.1.15-dev2
v3.1.15-dev3
v3.1.16
v3.1.16-dev1
v3.1.16-dev2
v3.1.17
v3.1.17-dev1
v3.1.17-dev2
v3.1.18
v3.1.18-dev1
v3.1.18-dev2
v3.1.19
v3.1.19-dev1
v3.1.19-dev2
v3.1.19-dev3
v3.1.2
v3.1.2-dev1
v3.1.2-dev2
v3.1.2-dev3
v3.1.2-dev4
v3.1.20
v3.1.20-dev1
v3.1.20-dev2
v3.1.20-dev3
v3.1.20-dev4
v3.1.21
v3.1.21-dev1
v3.1.21-dev2
v3.1.21-dev3
v3.1.21-dev4
v3.1.22
v3.1.22-dev1
v3.1.22-dev2
v3.1.23
v3.1.23-dev1
v3.1.23-dev2
v3.1.24
v3.1.24-dev1
v3.1.24-dev2
v3.1.24-dev3
v3.1.25
v3.1.25-dev1
v3.1.25-dev2
v3.1.25-dev3
v3.1.25-dev4
v3.1.25-dev5
v3.1.25-dev6
v3.1.26
v3.1.26-dev1
v3.1.26-dev2
v3.1.26-dev3
v3.1.27
v3.1.27-dev1
v3.1.27-dev2
v3.1.27-dev3
v3.1.27-dev4
v3.1.28
v3.1.28-dev1
v3.1.28-dev2
v3.1.28-dev3
v3.1.29
v3.1.29-dev1
v3.1.29-dev2
v3.1.29-dev3
v3.1.29-dev4
v3.1.29-dev5
v3.1.29-dev6
v3.1.29-dev7
v3.1.3
v3.1.3-dev1
v3.1.3-dev2
v3.1.30
v3.1.30-dev1
v3.1.31
v3.1.31-dev1
v3.1.31-dev2
v3.1.32
v3.1.32-dev1
v3.1.32-dev2
v3.1.32-dev3
v3.1.32-dev4
v3.1.32-dev5
v3.1.4
v3.1.4-dev1
v3.1.4-dev2
v3.1.4-dev3
v3.1.4-dev4
v3.1.4-dev5
v3.1.5
v3.1.5-dev1
v3.1.5-dev2
v3.1.6
v3.1.6-dev1
v3.1.6-dev2
v3.1.7
v3.1.7-dev1
v3.1.7-dev2
v3.1.7-dev3
v3.1.7-dev4
v3.1.7-dev5
v3.1.7-dev6
v3.1.7-dev7
v3.1.7-dev8
v3.1.8
v3.1.8-dev1
v3.1.8-dev2
v3.1.8-dev3
v3.1.9
v3.1.9-dev1
v3.1.9-dev10
v3.1.9-dev2
v3.1.9-dev3
v3.1.9-dev4
v3.1.9-dev5
v3.1.9-dev6
v3.1.9-dev7
v3.1.9-dev8
v3.1.9-dev9
v3.2.0
v3.2.0-dev1
v3.2.0-dev10
v3.2.0-dev2
v3.2.0-dev3
v3.2.0-dev4
v3.2.0-dev5
v3.2.0-dev6
v3.2.0-dev7
v3.2.0-dev8
v3.2.0-dev9
v3.2.1
v3.2.1-dev1
v3.2.1-dev2
v3.2.1-dev3
v3.2.1-dev4
v3.2.1-dev5
v3.2.1-dev6
v3.3.0
v3.3.0-dev1
v3.3.0-dev2
v3.3.0-dev3
v3.3.0-dev4
v3.3.0-dev5
v3.3.0-dev6
v3.3.0-dev7
v3.3.1
v3.3.1-dev1
v3.3.2
v3.3.2-dev1
v3.3.2-dev2
v3.3.3
v3.3.3-dev1
v3.3.3-dev2
v3.3.3-dev3
v3.3.3-dev4
v3.3.3-dev5
v3.3.4
v3.3.4-dev1
v3.3.4-dev2
v3.3.5
v3.3.5-dev1
v3.3.6
v3.3.6-dev1
v3.3.6-dev2
v3.4.0
v3.4.0-dev1
v3.4.0-dev2
v3.4.0-dev3
v3.4.0-dev4
v3.4.0-dev5
v3.4.1
v3.4.1-dev1
v3.4.1-dev2
v3.4.2
v3.4.2-dev1
v3.5.0
v3.5.0-dev1
v3.5.0-dev2
v3.5.1
v3.5.1-dev1
v3.5.1-dev2
v3.5.10
v3.5.2
v3.5.2-dev1
v3.5.2-dev2
v3.5.3
v3.5.3-dev1
v3.5.3-dev2
v3.5.3-dev3
v3.5.3-dev4
v3.5.3-dev5
v3.5.3-dev6
v3.5.4
v3.5.4-dev1
v3.5.4-dev2
v3.5.4-dev3
v3.5.4-dev4
v3.5.4-dev5
v3.5.4-dev6
v3.5.5
v3.5.5-dev1
v3.5.5-dev2
v3.5.6
v3.5.6-dev1
v3.5.7
v3.5.8
v3.5.8-dev1
v3.5.8-dev2
v3.5.9
v3.5.9-dev1
v3.5.9-dev2
v3.6.0