PatchSiren cyber security CVE debrief
CVE-2026-59854 siyuan-note CVE debrief
CVE-2026-59854 is a file exfiltration vulnerability in SiYuan, a personal knowledge management system. An authenticated administrator or API-token user can copy sensitive files through the API. This issue allows attackers to access sensitive information, potentially leading to further exploitation. Users should review their deployment and apply mitigations.
- Vendor
- siyuan-note
- Product
- siyuan
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of SiYuan personal knowledge management system, especially those with administrative or API-token access, should be aware of this vulnerability. They should review their systems for exposure and apply necessary patches or mitigations.
Technical summary
The vulnerability exists in the POST /api/file/globalCopyFiles endpoint of SiYuan, which accepts attacker-supplied absolute source paths. The util.IsSensitivePath function in kernel/util/path.go has a denylist that misses common home-directory credential files. This allows an authenticated administrator or API-token user to copy sensitive files such as .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg into the workspace and exfiltrate them through the file API.
Defensive priority
High
Recommended defensive actions
- Restrict access to the POST /api/file/globalCopyFiles endpoint
- Implement additional validation for source paths
- Monitor for suspicious file access patterns
- Update to version 3.7.1-alpha.2 or 3.7.1
- Review and restrict API-token user permissions
- Perform regular security audits to detect potential exposures
- Implement compensating controls for exposed systems
Evidence notes
The CVE record was published on 2026-07-09T23:17:06.163Z and was last modified on 2026-07-10T15:49:19.093Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not be comprehensive. Additional verification is recommended.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:06.163Z and has not been modified since then. The NVD entry is currently Deferred.