CVE-2026-40259

HIGH

8.1

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model function that unconditionally deletes the corresponding attribute view file from the workspace without verifying that the caller has write privileges or that the target attribute view is actually unused. An authenticated publish-service reader can permanently delete arbitrary attribute view definitions by extracting publicly exposed data-av-id values from published content, causing breakage of database views and workspace rendering until manually restored. This issue has been fixed in version 3.6.4.

Details CVE

Score CVSS v3.18.1

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie4/16/2026

Derniere modification4/20/2026

Sourcenvd

Observations honeypot0

Produits affectes

b3log:siyuan

Faiblesses (CWE)

CWE-285

References

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4(security-advisories@github.com)

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg(security-advisories@github.com)

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.