CVE-2026-32767 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 20, 2026
SiYuan - Authorization Bypass & SQL Injection
Overview
SiYuan <= 3.6.0 contains an authorization bypass caused by improper authorization checks in /api/search/fullTextSearchBlock endpoint allowing authenticated users to execute arbitrary SQL statements, exploit requires authentication.
Severity & Score
Impact
Authenticated users can execute arbitrary SQL commands, potentially leading to data modification or deletion and full database compromise.
Mitigation
Upgrade to version 3.6.1 or later.
References
Social Media Activity(2 posts)
⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. https://radar.offseq.com/threat/cve-2026-32767-cwe-89-improper-neutralization-of-s-8a5766fd #OffSeq #SiYuan #SQLInjection #Vuln
View original post
⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. https://radar.offseq.com/threat/cve-2026-32767-cwe-89-improper-neutralization-of-s-8a5766fd #OffSeq #SiYuan #SQLInjection #Vuln
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32767
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H