CVE-2026-45371
published 2026-05-14CVE-2026-45371: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs…
PriorityP346high7.2CVSS 4.0
AVNACLATNPRLUINVCLVIHVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.21%
10.8th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST /api/storage/updateRecentDocOpenTime, POST /api/storage/batchUpdateRecentDocCloseTime, and POST /api/search/updateEmbedBlock are registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly. Each of them writes server-side state, including atomic rewrites of /conf/conf.json via model.Conf.Save(). Any caller whose JWT passes CheckAuth, including a publish-service RoleReader (the role assigned to anonymous publish visitors) and a RoleEditor against a workspace where Editor.ReadOnly = true, can hit them This vulnerability is fixed in 3.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260512140701-d7b77d945e0d | 0.0.0-20260512140701-d7b77d945e0d |
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.x /api/graph/getGraph model.Conf.Save improper authorization (GHSA-gmmv-4cc5-wr9r)
vuldb·2026-05-15·CVSS 7.2
CVE-2026-45371 [HIGH] SiYuan up to 3.6.x /api/graph/getGraph model.Conf.Save improper authorization (GHSA-gmmv-4cc5-wr9r)
A vulnerability was found in SiYuan up to 3.6.x and classified as critical. This affects the function model.Conf.Save of the file /api/graph/getGraph. Executing a manipulation can lead to improper authorization.
This vulnerability is tracked as CVE-2026-45371. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
ghsa·2026-05-13
CVE-2026-45371 [HIGH] CWE-285 SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
### Summary
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
`POST /api/graph/getGraph`, `POST /api/graph/getLocalGraph`, `POST /api/sync/setSyncInterval`, `POST /api/storage/updateRecentDocViewTime`, `POST /api/storage/updateRecentDocCloseTime`, `POST /api/storage/updateRecentDocOpenTime`, `POST /api/storage/batchUpdateRecentDocCloseTime`, and `POST /api/search/updateEmbedBlock` are registered with `model.CheckAuth` only, omitting both `model.CheckAdminRole` and `model.CheckReadonly`. Each of them writes server-side state, including atomic rewrites of `/conf/conf.json` via `model.Conf.Save()`. Any caller whose JWT passes `CheckAuth`, including a publish-service `RoleReader` (the role
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published