SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Fri, 20 Mar 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue. | |
| Title | SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass | |
| Weaknesses | CWE-248 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-03-20T22:32:33.219Z
Reserved: 2026-03-17T23:23:58.312Z
Link: CVE-2026-33203
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.