CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-hvr9-72v2-fff3: SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist

criticalCVE-2026-54069
Summary SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. Affected Versions SiYuan <= v3.6.5 (commit 96dfe0bea474). The chrome-extension allowlist remains unfixed as of the latest commit on the fix branch (d7b77d945e0d). Vulnerability Details Blanket chrome-extension:// Origin Trust (CWE-346) In kernel/model/session.go:277, the CheckAuth middleware exempts all chrome-extension:// origins from authentication: if strings.HasPrefix(origin, "chrome-extension://") { // skip auth } At session.go:284, the request is assigned RoleAdministrator: c.Set("role", model.RoleAdministrator) The AccessAuthCode field defaults to an empty string for desktop installs (ContainerStd). When empty, no token validation occurs. This means any Chrome/Chromium extension can make fully authenticated admin API calls to the SiYuan kernel. The origin check trusts the entire chrome-extension:// scheme rather than validating a specific extension ID, so every installed extension (including those with no explicit host_permissions) can access all admin endpoints. Proof of Concept Unauthenticated admin API access via browser extension: A minimal Chrome extension with only default permissions: { "manifest_version": 3, "name": "SiYuan PoC", "version": "1.0", "background": { "service_worker": "bg.js" } } // bg.js -- runs as chrome-extension://<id> // No special host_permissions needed; localhost is accessible by default // 1. Verify admin access fetch('http://127.0.0.1:6806/api/system/getConf', { method: 'POST', headers: {

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-hvr9-72v2-fff3

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54069coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories