SiYuan knowledge management systems are vulnerable to a critical information disclosure flaw that allows unauthenticated attackers to view the full content of all stored documents via API abuse.

The vulnerability stems from insecure API endpoints that do not properly restrict access to document identifiers and content. An unauthenticated attacker can first list document IDs and then programmatically retrieve the full text of those documents using the /api/block/getChildBlocks interface.

For a personal knowledge management system, this vulnerability represents a total loss of confidentiality for all stored data. The CVSS score of 9.8 is justified by the fact that sensitive personal or corporate information can be harvested remotely without any authentication.

Immediate Action: Update SiYuan to version 3.6.2 or later to secure the affected API endpoints.

Proactive Monitoring: Monitor network traffic for excessive requests to the /api/block/ and /api/file/ endpoints, especially from unrecognized IP addresses.

Compensating Controls: If the application is hosted on a network, use an authentication proxy or VPN to restrict access to the SiYuan web interface to authorized users only.

Public Exploit Available: false

Because SiYuan is often used to store highly sensitive personal or organizational data, this unauthenticated access flaw is critical. Users should update immediately and ensure their instances are not exposed to the public internet without additional layers of authentication.