CVE-2026-45148
published 2026-05-14CVE-2026-45148: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.22%
12.6th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This vulnerability is fixed in 3.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260512140701-d7b77d945e0d | 0.0.0-20260512140701-d7b77d945e0d |
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.x Publish Service authorization (GHSA-fmh9-gpqh-g53g)
vuldb·2026-05-15·CVSS 4.3
CVE-2026-45148 [MEDIUM] SiYuan up to 3.6.x Publish Service authorization (GHSA-fmh9-gpqh-g53g)
A vulnerability classified as problematic was found in SiYuan up to 3.6.x. This impacts an unknown function of the component Publish Service. The manipulation results in incorrect authorization.
This vulnerability was named CVE-2026-45148. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is advised.
GHSA
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
ghsa·2026-05-13
CVE-2026-45148 [MEDIUM] CWE-863 SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
### Summary
The advisory `GHSA-c77m-r996-jr3q` patched `getBookmark` so that, when invoked by a publish-mode `RoleReader`, results are filtered through `FilterBlocksByPublishAccess` to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.
### Details
**Affected files / lines (v3.6.5):**
`kernel/api/router.go:181-190` — all four endpoints registered with `CheckAuth` only, which the publish-service `RoleReader` JWT passes:
```go
ginServer.Handle("POST", "/api/search/searchTag", model.CheckAuth, searchTag)
g
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published