greprules.io
Sign inSubmit rule
Explore/cve-2026-33669-siyuan-asset-handler-missing-publish-access-check

CVE-2026-33669: Siyuan Asset Handler Missing Publish Access Check

Asset path resolved by model.GetAssetAbsPath is served (via http.ServeFile, serveThumbnail, or serveSVG) without enforcing the publish-service access policy. Non-admin callers in publish mode can read assets that belong to publish-ignored or password-protected documents. Gate non-admin contexts with model.IsAdminRoleContext and verify with model.CheckAbsPath

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0go
greprules fetch cve-2026-33669-siyuan-asset-handler-missing-publish-access-check --engine opengrep

Description

Asset path resolved by model.GetAssetAbsPath is served (via http.ServeFile, serveThumbnail, or serveSVG) without enforcing the publish-service access policy. Non-admin callers in publish mode can read assets that belong to publish-ignored or password-protected documents. Gate non-admin contexts with model.IsAdminRoleContext and verify with model.CheckAbsPath

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
109 downloads0 direct109 via packs
· 0 stars · Trust score 95How trust works
Included packs
3 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata