CVE-2026-45147
published 2026-05-14CVE-2026-45147: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.15%
4.8th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service RoleReader accounts and RoleEditor accounts on a read-only workspace — can call this endpoint with a sort argument to mutate model.Conf.Tag.Sort and trigger model.Conf.Save(), which atomically rewrites the entire workspace conf.json. This vulnerability is fixed in 3.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260512140701-d7b77d945e0d | 0.0.0-20260512140701-d7b77d945e0d |
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.x /api/tag/getTag model.Conf.Save sort improper authorization (GHSA-6r88-8v7q-q4p2)
vuldb·2026-05-15·CVSS 4.3
CVE-2026-45147 [MEDIUM] SiYuan up to 3.6.x /api/tag/getTag model.Conf.Save sort improper authorization (GHSA-6r88-8v7q-q4p2)
A vulnerability marked as critical has been reported in SiYuan up to 3.6.x. The affected element is the function model.Conf.Save of the file /api/tag/getTag. Performing a manipulation of the argument sort results in improper authorization.
This vulnerability is known as CVE-2026-45147. Remote exploitation of the attack is possible. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
ghsa·2026-05-13
CVE-2026-45147 [MEDIUM] CWE-285 SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
### Summary
`POST /api/tag/getTag` is registered with `model.CheckAuth` only, omitting both `model.CheckAdminRole` and `model.CheckReadonly`, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service `RoleReader` accounts and `RoleEditor` accounts on a read-only workspace — can call this endpoint with a `sort` argument to mutate `model.Conf.Tag.Sort` and trigger `model.Conf.Save()`, which atomically rewrites the entire workspace `conf.json`.
Same root-cause class as the patched `GHSA-4j3x-hhg2-fm2x` (which fixed missing `CheckAdminRole + CheckReadonly` on `/api/template/renderSprig`).
### Details
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published