SiYuan, an open-source AI-integrated note-taking and personal knowledge-base tool, ships an unauthenticated 'publish mode' HTTP endpoint that lets a remote attacker read arbitrary files inside the workspace directory by double-URL-encoding path traversal sequences in the /assets/ route — the exact bug class the vendor believed it had already fixed under CVE-2026-41894. The exposed conf/conf.json file contains the instance's accessAuthCode hash and API token, which upgrades this from a read primitive into full authenticated read/write access to every notebook on the instance, and any S3/WebDAV sync credentials in the same file let an attacker pivot to external storage. With 2,965 downstream dependents and an EPSS score in the top 23% of CVEs by exploitation likelihood, this is a meaningful exposure even though it is not yet in CISA KEV and no public exploit or Nuclei template has surfaced. Any team running SiYuan with publish mode enabled — a documented, common configuration for sharing notebooks — should upgrade to commit 0.0.0-20260628153353-2d5d72223df4 immediately, or as a stopgap disable publish mode / firewall port 6808 from untrusted networks and rotate accessAuthCode and API tokens as a precaution, since the flaw may have been silently exploitable since the incomplete #41894 patch shipped.
What is the risk?
CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) understates the practical severity: this is a zero-click, unauthenticated, network-exploitable primitive against a publicly documented feature (publish mode), with a trivial PoC (a single curl request with a double-URL-encoded path). Confidentiality impact is rated high because it directly yields credential material (accessAuthCode hash, API token, sync secrets) that escalates to full authenticated kernel API access — effectively converting a 'read-only' bug into complete compromise of the SiYuan instance's data. EPSS places it in the top 23% of scored CVEs for near-term exploitation, and the vendor's own OpenSSF Scorecard of 5.8/10 alongside 19 other CVEs in this package signals a codebase with a recurring pattern of security gaps. It is not in CISA KEV and has no public exploit or Nuclei template yet, so treat this as high-not-yet-critical: patch on normal high-severity SLA, but prioritize any internet-facing publish-mode instances immediately.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Jupyter Notebook | go | < 0.0.0-20260628153353-2d5d72223df4 | 0.0.0-20260628153353-2d5d72223df4 |
Do you use Jupyter Notebook? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade SiYuan kernel to the patched build (0.0.0-20260628153353-2d5d72223df4 or later) — this removes the redundant url.PathUnescape fallback in GetAssetAbsPath and closes the publish-access fall-through. 2) Until patched, disable publish mode (conf.publish.enable = false) or restrict port 6808 to trusted networks/VPN only via firewall rules. 3) Rotate accessAuthCode and any API tokens on affected instances as a precaution, since the flaw may have been exploitable since the incomplete #41894 fix. 4) Detection: alert on requests to /assets/ containing '%25' (double-encoded percent signs) or repeated '%2e%2e' sequences in access logs — this is a high-fidelity IOC with no legitimate use case. 5) For self-hosted or vendor deployments, verify sync credentials (S3/WebDAV) haven't been used from unexpected source IPs since the CVE-2026-41894 patch date.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54066?
SiYuan, an open-source AI-integrated note-taking and personal knowledge-base tool, ships an unauthenticated 'publish mode' HTTP endpoint that lets a remote attacker read arbitrary files inside the workspace directory by double-URL-encoding path traversal sequences in the /assets/ route — the exact bug class the vendor believed it had already fixed under CVE-2026-41894. The exposed conf/conf.json file contains the instance's accessAuthCode hash and API token, which upgrades this from a read primitive into full authenticated read/write access to every notebook on the instance, and any S3/WebDAV sync credentials in the same file let an attacker pivot to external storage. With 2,965 downstream dependents and an EPSS score in the top 23% of CVEs by exploitation likelihood, this is a meaningful exposure even though it is not yet in CISA KEV and no public exploit or Nuclei template has surfaced. Any team running SiYuan with publish mode enabled — a documented, common configuration for sharing notebooks — should upgrade to commit 0.0.0-20260628153353-2d5d72223df4 immediately, or as a stopgap disable publish mode / firewall port 6808 from untrusted networks and rotate accessAuthCode and API tokens as a precaution, since the flaw may have been silently exploitable since the incomplete #41894 patch shipped.
Is CVE-2026-54066 actively exploited?
No confirmed active exploitation of CVE-2026-54066 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54066?
1) Upgrade SiYuan kernel to the patched build (0.0.0-20260628153353-2d5d72223df4 or later) — this removes the redundant url.PathUnescape fallback in GetAssetAbsPath and closes the publish-access fall-through. 2) Until patched, disable publish mode (conf.publish.enable = false) or restrict port 6808 to trusted networks/VPN only via firewall rules. 3) Rotate accessAuthCode and any API tokens on affected instances as a precaution, since the flaw may have been exploitable since the incomplete #41894 fix. 4) Detection: alert on requests to /assets/ containing '%25' (double-encoded percent signs) or repeated '%2e%2e' sequences in access logs — this is a high-fidelity IOC with no legitimate use case. 5) For self-hosted or vendor deployments, verify sync credentials (S3/WebDAV) haven't been used from unexpected source IPs since the CVE-2026-41894 patch date.
What systems are affected by CVE-2026-54066?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks.
What is the CVSS score for CVE-2026-54066?
CVE-2026-54066 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.89%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary The patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the `/export/` route but the **identical root cause remains in the `/assets/*path` route**. In publish mode (anonymous read-only HTTP endpoint, default port 6808), an unauthenticated remote attacker can read arbitrary files inside `WorkspaceDir` — including `conf/conf.json` (which contains the `AccessAuthCode` SHA256 hash, API token, and sync keys), `temp/siyuan.db`, `temp/blocktree.db`, and `siyuan.log` — by double-URL-encoding `..` segments. Verified against siyuan v3.6.5: - `GET /assets/%252e%252e/%252e%252e/conf/conf.json` → **HTTP 200, 10349 bytes (conf.json served)** - `GET /export/%252e%252e/%252e%252e/conf/conf.json` → HTTP 401 (patched) - `GET /assets/%2e%2e/conf/conf.json` → HTTP 404 (single-decode handled correctly) ## Vulnerable Code **Step 1 — route & first decode** (`kernel/server/serve.go:587-626`): The router registers `GET /assets/*path` for the publish listener. Gin performs one URL decoding pass on `URL.Path`, so a request for `/assets/%252e%252e/...` yields `context.Param("path") == "/%2e%2e/%2e%2e/conf/conf.json"` — literal `%2e%2e` strings, which `path.Clean` cannot collapse. **Step 2 — second decode via fallback** (`kernel/model/assets.go:536-563`, `GetAssetAbsPath`): ```go p, err := getAssetAbsPath(relativePath) if nil != err { // fallback decoded, e := url.PathUnescape(relativePath) // ← line 548, second decode if nil == e { p, err = getAssetAbsPath(decoded) } } ``` After the fallback decodes `%2e%2e` to `..`, `filepath.Join(DataDir, "../../conf/conf.json")` is `Clean`-ed to `WorkspaceDir/conf/conf.json`, an existing file. **Step 3 — publish-mode access gate fall-through** (`kernel/model/publish_access.go:288`, `CheckAbsPathAccessableByPublishAccess`): ```go if !filelock.IsSubPath(util.DataDir, absPath) { return true // ← fall-through allows anything outside DataDir but inside WorkspaceDir } ``` Because the resolved file is *outside* `DataDir` (it's in `WorkspaceDir`), the gate returns `true` and `IsSensitivePath()` is never invoked — `.db` / `.log` / `conf/` denylists do not apply to the `/assets/` route at all (unlike the patched `/export/` route, which additionally checks `IsSubPath(exportBaseDir, ...)`). **Step 4 — file served** (`http.ServeFile`): the request `URL.Path` contains literal `%2e%2e`, not `..`, so Go's `containsDotDot` guard passes and the file is sent. ## PoC Preconditions: siyuan kernel running with publish mode enabled (`conf.publish.enable = true`). Publish mode is the documented anonymous read-only endpoint for sharing notebooks. ``` $ curl -i "http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json" HTTP/1.1 200 OK Content-Length: 10349 Content-Type: application/json ... {"appearance":{...},"editor":{...},"system":{...},"accessAuthCode":"<sha256>","api":{"token":"<api token>"}, ...} ``` Compared with the patched route: ``` $ curl -i "http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json" HTTP/1.1 401 Unauthorized ``` ## Root Cause Three independent flaws combine: 1. `GetAssetAbsPath` performs a second `url.PathUnescape` as a "compatibility" fallback, re-introducing the double-decode primitive that the CVE-2026-41894 patch eliminated on `/export/`. 2. `CheckAbsPathAccessableByPublishAccess` returns `true` for any path outside `DataDir`, even when that path is still inside `WorkspaceDir` (which contains `conf/conf.json`, `temp/*.db`, `siyuan.log`). 3. The `IsSensitivePath()` denylist applied to `/export/` is not called from the `/assets/` handler. ## Impact Unauthenticated remote arbitrary file read inside `WorkspaceDir`. Confirmed-readable files include: - `conf/conf.json` — `accessAuthCode` SHA256 (offline crackable), API token, S3/WebDAV sync credentials. - `temp/siyuan.db`, `temp/blocktree.db`, `temp/asset_content.db` — full notebook content (SQLite). - `siyuan.log` — internal paths, OS username, plugin info. Compromise of `accessAuthCode` / API token escalates to authenticated kernel API access (full read/write of all notebooks). Compromise of sync credentials escalates beyond the host. ## Fix 1. Remove the `url.PathUnescape` fallback in `GetAssetAbsPath` (assets.go:548), matching the `/export/` patch. 2. In `CheckAbsPathAccessableByPublishAccess`, replace the `IsSubPath(DataDir, ...)` fall-through with an explicit allowlist (only `DataDir` and its publishable subtree) and **always** call `IsSensitivePath()`. 3. Apply `IsSensitivePath()` inside the `/assets/*path` handler in `serve.go` as defense-in-depth. ## Status Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): `GET /assets/%252e%252e/%252e%252e/conf/conf.json` returned HTTP 200 / 10349 bytes.
Exploitation Scenario
An attacker scans the internet or a target's exposed infrastructure for hosts listening on SiYuan's default publish port 6808 (a common configuration since publish mode is the vendor-documented way to share notebooks anonymously). Finding one, they send an unauthenticated GET request to `/assets/%252e%252e/%252e%252e/conf/conf.json`, exploiting the double-URL-decode fallback to traverse out of the asset directory and into the workspace root. The response leaks the instance's accessAuthCode hash and API token; the attacker either cracks the hash offline or uses the token directly against the kernel API to gain full authenticated read/write access to every notebook — exfiltrating proprietary notes, credentials pasted into notebooks, or any data feeding an AI assistant plugin. If S3/WebDAV sync is configured, the same conf.json yields cloud storage credentials, letting the attacker pivot beyond the host to the victim's broader storage infrastructure.
Weaknesses (CWE)
CWE-1188 Initialization of a Resource with an Insecure Default
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-23 Relative Path Traversal
Primary
CWE-1188 — Initialization of a Resource with an Insecure Default: The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44727 9.0 jupyter-server: stored XSS yields kernel RCE
Same package: notebook CVE-2026-52798 8.9 Gogs: Stored XSS via .ipynb Markdown re-render bypass
Same package: notebook CVE-2026-42557 8.8 JupyterLab: one-click RCE via notebook HTML cell output
Same package: notebook CVE-2026-42266 8.8 JupyterLab: Extension allow-list bypass enables privesc
Same package: notebook CVE-2026-5422 8.1 jupyter-server: path traversal exposes sibling dir files
Same package: notebook