SiYuan Knowledge Management System Unauthenticated Attribute View Deletion Vulnerability

A vulnerability exists in SiYuan versions through 3.6.3, allowing authenticated users with the publish-service RoleReader token to exploit the /api/av/removeUnusedAttributeView endpoint. This endpoint lacks proper authorization checks, enabling the deletion of arbitrary attribute view files from the workspace. The vulnerability arises because the endpoint does not verify if the caller has the right to delete or if the attribute view is genuinely unused. As a result, an authenticated publish-service reader can permanently remove attribute view definitions, disrupting database views and workspace rendering until manually restored.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of attribute view definitions, causing disruption in database views and local workspace rendering, particularly affecting AV-backed relationships. The deletion persists until the attribute view is restored from history or recreated.

Reproduction

To reproduce this vulnerability, an authenticated user with publish-service RoleReader credentials must access the /api/av/removeUnusedAttributeView endpoint. The user can extract valid data-av-id values from published content to use as the id parameter in the request, effectively deleting the corresponding attribute view file from their workspace.

Remediation

Users should update to SiYuan version 3.6.4, where this vulnerability has been fixed.