GHSA-P4M3-MGMM-C664
Vulnerability from github – Published: 2026-07-10 19:25 – Updated: 2026-07-10 19:25Summary
The patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the
identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint,
default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including
conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db,
temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments.
Verified against siyuan v3.6.5:
- GET /assets/%252e%252e/%252e%252e/conf/conf.json → HTTP 200, 10349 bytes (conf.json served)
- GET /export/%252e%252e/%252e%252e/conf/conf.json → HTTP 401 (patched)
- GET /assets/%2e%2e/conf/conf.json → HTTP 404 (single-decode handled correctly)
## Vulnerable Code
Step 1 — route & first decode (kernel/server/serve.go:587-626):
The router registers GET /assets/*path for the publish listener. Gin performs one URL decoding pass on URL.Path,
so a request for /assets/%252e%252e/... yields context.Param("path") == "/%2e%2e/%2e%2e/conf/conf.json" — literal
%2e%2e strings, which path.Clean cannot collapse.
Step 2 — second decode via fallback (kernel/model/assets.go:536-563, GetAssetAbsPath):
go
p, err := getAssetAbsPath(relativePath)
if nil != err {
// fallback
decoded, e := url.PathUnescape(relativePath) // ← line 548, second decode
if nil == e {
p, err = getAssetAbsPath(decoded)
}
}
After the fallback decodes %2e%2e to .., filepath.Join(DataDir, "../../conf/conf.json") is Clean-ed to
WorkspaceDir/conf/conf.json, an existing file.
Step 3 — publish-mode access gate fall-through (kernel/model/publish_access.go:288,
CheckAbsPathAccessableByPublishAccess):
go
if !filelock.IsSubPath(util.DataDir, absPath) {
return true // ← fall-through allows anything outside DataDir but inside WorkspaceDir
}
Because the resolved file is outside DataDir (it's in WorkspaceDir), the gate returns true and
IsSensitivePath() is never invoked — .db / .log / conf/ denylists do not apply to the /assets/ route at all
(unlike the patched /export/ route, which additionally checks IsSubPath(exportBaseDir, ...)).
Step 4 — file served (http.ServeFile): the request URL.Path contains literal %2e%2e, not .., so Go's
containsDotDot guard passes and the file is sent.
## PoC
Preconditions: siyuan kernel running with publish mode enabled (conf.publish.enable = true). Publish mode is the
documented anonymous read-only endpoint for sharing notebooks.
$ curl -i "http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json"
HTTP/1.1 200 OK
Content-Length: 10349
Content-Type: application/json
...
{"appearance":{...},"editor":{...},"system":{...},"accessAuthCode":"<sha256>","api":{"token":"<api token>"}, ...}
Compared with the patched route:
$ curl -i "http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json"
HTTP/1.1 401 Unauthorized
## Root Cause
Three independent flaws combine:
1. GetAssetAbsPath performs a second url.PathUnescape as a "compatibility" fallback, re-introducing the
double-decode primitive that the CVE-2026-41894 patch eliminated on /export/.
2. CheckAbsPathAccessableByPublishAccess returns true for any path outside DataDir, even when that path is still
inside WorkspaceDir (which contains conf/conf.json, temp/*.db, siyuan.log).
3. The IsSensitivePath() denylist applied to /export/ is not called from the /assets/ handler.
## Impact
Unauthenticated remote arbitrary file read inside WorkspaceDir. Confirmed-readable files include:
- conf/conf.json — accessAuthCode SHA256 (offline crackable), API token, S3/WebDAV sync credentials.
- temp/siyuan.db, temp/blocktree.db, temp/asset_content.db — full notebook content (SQLite).
- siyuan.log — internal paths, OS username, plugin info.
Compromise of accessAuthCode / API token escalates to authenticated kernel API access (full read/write of all
notebooks). Compromise of sync credentials escalates beyond the host.
## Fix
1. Remove the url.PathUnescape fallback in GetAssetAbsPath (assets.go:548), matching the /export/ patch.
2. In CheckAbsPathAccessableByPublishAccess, replace the IsSubPath(DataDir, ...) fall-through with an explicit
allowlist (only DataDir and its publishable subtree) and always call IsSensitivePath().
3. Apply IsSensitivePath() inside the /assets/*path handler in serve.go as defense-in-depth.
## Status
Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): GET
/assets/%252e%252e/%252e%252e/conf/conf.json returned HTTP 200 / 10349 bytes.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260628153353-2d5d72223df4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54066"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T19:25:04Z",
"nvd_published_at": "2026-06-24T22:16:48Z",
"severity": "HIGH"
},
"details": "## Summary\n The patch for CVE-2026-41894 (\"Path Traversal via Double URL Encoding\") sanitized the `/export/` route but the\n **identical root cause remains in the `/assets/*path` route**. In publish mode (anonymous read-only HTTP endpoint,\n default port 6808), an unauthenticated remote attacker can read arbitrary files inside `WorkspaceDir` \u2014 including\n `conf/conf.json` (which contains the `AccessAuthCode` SHA256 hash, API token, and sync keys), `temp/siyuan.db`,\n `temp/blocktree.db`, and `siyuan.log` \u2014 by double-URL-encoding `..` segments.\n\n Verified against siyuan v3.6.5:\n - `GET /assets/%252e%252e/%252e%252e/conf/conf.json` \u2192 **HTTP 200, 10349 bytes (conf.json served)**\n - `GET /export/%252e%252e/%252e%252e/conf/conf.json` \u2192 HTTP 401 (patched)\n - `GET /assets/%2e%2e/conf/conf.json` \u2192 HTTP 404 (single-decode handled correctly)\n\n ## Vulnerable Code\n\n **Step 1 \u2014 route \u0026 first decode** (`kernel/server/serve.go:587-626`):\n The router registers `GET /assets/*path` for the publish listener. Gin performs one URL decoding pass on `URL.Path`,\n so a request for `/assets/%252e%252e/...` yields `context.Param(\"path\") == \"/%2e%2e/%2e%2e/conf/conf.json\"` \u2014 literal\n `%2e%2e` strings, which `path.Clean` cannot collapse.\n\n **Step 2 \u2014 second decode via fallback** (`kernel/model/assets.go:536-563`, `GetAssetAbsPath`):\n ```go\n p, err := getAssetAbsPath(relativePath)\n if nil != err {\n // fallback\n decoded, e := url.PathUnescape(relativePath) // \u2190 line 548, second decode\n if nil == e {\n p, err = getAssetAbsPath(decoded)\n }\n }\n ```\n After the fallback decodes `%2e%2e` to `..`, `filepath.Join(DataDir, \"../../conf/conf.json\")` is `Clean`-ed to\n `WorkspaceDir/conf/conf.json`, an existing file.\n\n **Step 3 \u2014 publish-mode access gate fall-through** (`kernel/model/publish_access.go:288`,\n `CheckAbsPathAccessableByPublishAccess`):\n ```go\n if !filelock.IsSubPath(util.DataDir, absPath) {\n return true // \u2190 fall-through allows anything outside DataDir but inside WorkspaceDir\n }\n ```\n Because the resolved file is *outside* `DataDir` (it\u0027s in `WorkspaceDir`), the gate returns `true` and\n `IsSensitivePath()` is never invoked \u2014 `.db` / `.log` / `conf/` denylists do not apply to the `/assets/` route at all\n (unlike the patched `/export/` route, which additionally checks `IsSubPath(exportBaseDir, ...)`).\n\n **Step 4 \u2014 file served** (`http.ServeFile`): the request `URL.Path` contains literal `%2e%2e`, not `..`, so Go\u0027s\n `containsDotDot` guard passes and the file is sent.\n\n ## PoC\n\n Preconditions: siyuan kernel running with publish mode enabled (`conf.publish.enable = true`). Publish mode is the\n documented anonymous read-only endpoint for sharing notebooks.\n\n ```\n $ curl -i \"http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json\"\n HTTP/1.1 200 OK\n Content-Length: 10349\n Content-Type: application/json\n ...\n {\"appearance\":{...},\"editor\":{...},\"system\":{...},\"accessAuthCode\":\"\u003csha256\u003e\",\"api\":{\"token\":\"\u003capi token\u003e\"}, ...}\n ```\n\n Compared with the patched route:\n ```\n $ curl -i \"http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json\"\n HTTP/1.1 401 Unauthorized\n ```\n\n ## Root Cause\n Three independent flaws combine:\n 1. `GetAssetAbsPath` performs a second `url.PathUnescape` as a \"compatibility\" fallback, re-introducing the\n double-decode primitive that the CVE-2026-41894 patch eliminated on `/export/`.\n 2. `CheckAbsPathAccessableByPublishAccess` returns `true` for any path outside `DataDir`, even when that path is still\n inside `WorkspaceDir` (which contains `conf/conf.json`, `temp/*.db`, `siyuan.log`).\n 3. The `IsSensitivePath()` denylist applied to `/export/` is not called from the `/assets/` handler.\n\n ## Impact\n Unauthenticated remote arbitrary file read inside `WorkspaceDir`. Confirmed-readable files include:\n - `conf/conf.json` \u2014 `accessAuthCode` SHA256 (offline crackable), API token, S3/WebDAV sync credentials.\n - `temp/siyuan.db`, `temp/blocktree.db`, `temp/asset_content.db` \u2014 full notebook content (SQLite).\n - `siyuan.log` \u2014 internal paths, OS username, plugin info.\n\n Compromise of `accessAuthCode` / API token escalates to authenticated kernel API access (full read/write of all\n notebooks). Compromise of sync credentials escalates beyond the host.\n\n ## Fix\n 1. Remove the `url.PathUnescape` fallback in `GetAssetAbsPath` (assets.go:548), matching the `/export/` patch.\n 2. In `CheckAbsPathAccessableByPublishAccess`, replace the `IsSubPath(DataDir, ...)` fall-through with an explicit\n allowlist (only `DataDir` and its publishable subtree) and **always** call `IsSensitivePath()`.\n 3. Apply `IsSensitivePath()` inside the `/assets/*path` handler in `serve.go` as defense-in-depth.\n\n ## Status\n Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): `GET\n /assets/%252e%252e/%252e%252e/conf/conf.json` returned HTTP 200 / 10349 bytes.",
"id": "GHSA-p4m3-mgmm-c664",
"modified": "2026-07-10T19:25:04Z",
"published": "2026-07-10T19:25:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-p4m3-mgmm-c664"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54066"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file\u2500read), Incomplete fix of CVE-2026-41894 "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.