SiYuan Personal Knowledge Management System SQL Injection Vulnerability Allowing Unauthorized Database Access

A vulnerability in SiYuan personal knowledge management system prior to version 3.6.0 allows logged-in users, including those with reader privileges, to execute arbitrary SQL queries directly on the database via the /api/query/sql endpoint. This endpoint only verifies basic authentication and not administrative rights, leading to an authorization bypass. The issue has been patched in version 3.6.0.

Impact

Exploitation of this vulnerability allows reader-level users to access and query all database information, including notes from other users. The SQL injection could also be used to perform write operations, despite the API being intended for read-only queries, potentially causing significant performance problems.

Reproduction

To reproduce this vulnerability, log in as a user with reader privileges and send a POST request to the /api/query/sql endpoint. Include a JSON payload with the SQL statement to be executed. The request must be authenticated with basic auth using the reader user's credentials.

Remediation

Users are advised to update to SiYuan version 3.6.0 or later.