HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54069Published Modified CNA GitHub_M

CVE-2026-54069: SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass in SiYuan Note's kernel HTTP server allows any installed Chrome or Chromium browser extension to make fully authenticated administrator API calls to the local SiYuan service without credentials. The server unconditionally trusts all chrome-extension:// origins and, combined with the default empty access code on desktop installs, any extension (including one compromised via supply chain attack) can reach the API over localhost with no authentication required. Successful exploitation enables full read and write access to the user's notes, including data exfiltration, stored XSS injection, and configuration tampering. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54069 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle SiYuan.

Available
Triage

Triage is available with the full CVSS v4.0 score of 9.2 (Critical) applied automatically; per-environment compliance policy weighting can escalate or route the finding to the appropriate team inbox within each customer organization.

Available
Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a remediated release.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker's payload reaches the SiYuan kernel HTTP server over the network (localhost on the victim's machine), so the service must be running and reachable from the browser context.

  • AuthenticationNot required

    No credentials are needed; the server grants RoleAdministrator access to any chrome-extension:// origin without any authentication check, and the default AccessAuthCode is empty on desktop installs.

  • Victim interactionNot required

    No user action beyond having a malicious or compromised extension installed is required; the extension can initiate API calls silently in the background.

  • Attack complexityDetail

    Attack complexity is rated High, reflecting the environmental precondition that a malicious or supply-chain-compromised Chrome/Chromium extension must already be installed in the victim's browser.

Blast Radius

  • Reads and exfiltrates all notes, attachments, and stored data from the SiYuan knowledge base.
  • Injects stored XSS payloads into note content that execute in the SiYuan desktop or browser interface.
  • Modifies or deletes SiYuan configuration, including sync settings, access codes, and workspace paths.
  • Tampers with persisted notebook and document structure, causing data loss or corruption.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-54069 is active across all environments that include SiYuan images, with findings surfaced at Critical severity (CVSS 9.2). Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once the maintainer releases a remediated version. In the interim, customers can apply compensating controls: use network-policy rules to block inbound connections to port 6806 from all origins except explicitly trusted ones, set a strong non-empty AccessAuthCode in SiYuan's configuration to eliminate the default-empty-credential exposure, and audit installed Chrome/Chromium extensions to reduce supply chain risk. For customers with auto-remediation enabled, the rebuild plus regression run plus PR against affected workloads will be initiated without manual intervention the moment a fix version is available upstream.

See how HarborGuard automates this
Affected packages
  • siyuan-note / siyuan
    < 3.7.0
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References