SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to una…

SiYuan personal knowledge management system has a vulnerability in version 3.6.2 and prior where the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. The issue occurs in publish/read-only mode where /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccess(nil, ...). The filter treats a nil context as authorized, skipping the publish password check and returning bookmarked blocks from documents configured as Protected. This allows unauthorized access to protected document content without providing required passwords, as long as at least one block in the document is bookmarked. The vulnerability has been patched in version 3.6.2.