A critical authorization bypass vulnerability in SiYuan allows any authenticated user, including those with restricted permissions, to execute arbitrary SQL commands and potentially compromise the entire application database.

This flaw exists in the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. An authenticated attacker with "Reader" role privileges can bypass security middleware to inject raw SQL statements directly into the SQLite database.

A successful exploit grants an attacker full control over the application's data layer. This results in total loss of data confidentiality, integrity, and availability, as an attacker can exfiltrate, modify, or delete all stored knowledge and system tables. The CVSS score of 9.8 reflects the critical nature of this flaw, where a low-privileged user can cause catastrophic system-wide impact.

Immediate Action: Administrators must upgrade SiYuan to version 3.6.1 or later immediately to apply the necessary authorization and read-only checks to the affected endpoint.

Proactive Monitoring: Review application logs for unusual activity involving the /api/search/fullTextSearchBlock endpoint, specifically looking for SQL syntax or the use of method=2 by non-admin users.

Compensating Controls: Restrict network access to the SiYuan instance to trusted IP addresses and consider implementing a Web Application Firewall (WAF) to filter for common SQL injection patterns.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it completely bypasses the application's security model. Organizations using SiYuan should prioritize the update to version 3.6.1. Failure to remediate this flaw leaves the entire knowledge base vulnerable to unauthorized manipulation or permanent deletion by any user with basic access.