Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This vulnerability is fixed in 3.7.0.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken access control flaw exists in the searchAsset, searchTag, searchWidget, and searchTemplate functions of the publish mode in SiYuan. Readers who can access the publish interface can enumerate metadata of documents that are otherwise invisible to the publish service. This permits an attacker to discover the existence, names, or attributes of hidden documents, potentially revealing sensitive information or providing insight into repository contents.

Affected Systems

SiYuan, the open‑source personal knowledge management system from Siyuan-Note. Versions prior to 3.7.0 are affected; the issue was resolved in version 3.7.0.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. No EPSS value is published and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is interaction with the publish-mode search APIs, which are reachable to any user granted read access to the publish service. Discovery of hidden metadata can aid further reconnaissance or support other attacks against the knowledge base.

Generated by OpenCVE AI on May 14, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.7.0 or any later release that contains the fix.
  • Restrict publish‑mode access to only users who are explicitly authorized to view all document metadata, and review the publish‑mode configuration for unnecessary exposure.
  • Implement monitoring or rate limiting on search endpoints to detect and mitigate automated enumeration attempts.

Generated by OpenCVE AI on May 14, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fmh9-gpqh-g53g SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This vulnerability is fixed in 3.7.0.
Title SiYuan: Broken access control in SiYuan publish-mode Readers can enumerate metadata
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:10:21.494Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45148

cve-icon Vulnrichment

Updated: 2026-05-15T14:10:16.188Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:38.760

Modified: 2026-05-15T15:16:53.940

Link: CVE-2026-45148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses