The SiYuan kernel HTTP server contains a critical authentication bypass flaw that allows malicious browser extensions to perform administrative actions without authorization.

The kernel HTTP server fails to perform proper origin validation, unconditionally trusting all browser extensions. Combined with a default empty authentication code, this allows unauthenticated attackers to execute administrative API calls.

This vulnerability carries a CVSS score of 9.2, representing an extremely high risk. Successful exploitation allows unauthorized parties to exfiltrate sensitive personal knowledge data, tamper with application configurations, and inject malicious scripts, effectively granting the attacker full administrative control over the application state.

Immediate Action: Update SiYuan to version 3.7.0 or later and ensure that a strong, non-default AccessAuthCode is configured immediately.

Proactive Monitoring: Review application logs for unexpected API calls originating from unauthorized or unrecognized browser-based sources.

Compensating Controls: Use network-level controls or host-based firewalls to restrict access to the SiYuan kernel port (6806) to trusted local processes only.

Public Exploit Available: Unknown

The reliance on default configurations and permissive origin policies creates a significant security gap. Users must update to the latest version and enforce robust authentication protocols to prevent unauthorized administrative access to their knowledge base.