Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST /api/storage/updateRecentDocOpenTime, POST /api/storage/batchUpdateRecentDocCloseTime, and POST /api/search/updateEmbedBlock are registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly. Each of them writes server-side state, including atomic rewrites of <workspace>/conf/conf.json via model.Conf.Save(). Any caller whose JWT passes CheckAuth, including a publish-service RoleReader (the role assigned to anonymous publish visitors) and a RoleEditor against a workspace where Editor.ReadOnly = true, can hit them This vulnerability is fixed in 3.7.0.
Published: 2026-05-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan, an open‑source personal knowledge management system, provides a publish‑mode Reader with eight API endpoints that are only checked for general authentication. The code mistakenly omits the required admin‑role or read‑only checks. As a result, any request carrying a JWT that passes the generic authentication gate – such as the anonymous publish‑service RoleReader or a RoleEditor on a workspace whose Editor.ReadOnly flag is set – can invoke these endpoints. Each endpoint performs server‑side state modifications, including atomic rewrites of the workspace configuration file (conf.json) via model.Conf.Save() and updates to the SQL index via the search API. The core weakness is a lack of proper authorization control, allowing unauthorized users to alter critical configuration data and potentially the database index, which may be used to change application behavior or subvert data integrity.

Affected Systems

Any installation of SiYuan running a version earlier than 3.7.0 is susceptible. The vulnerability affects the open‑source product provided by vendor siyuan-note under the product name SiYuan; both Linux and Windows builds use the same API set.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium to high severity vulnerability. The EPSS score is currently unavailable, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted HTTP POST requests to the eight exposed endpoints, provided they hold a JWT that passes CheckAuth. Due to the role‑based nature of publish‑mode visitors, anonymous users are already granted a sufficient JWT to trigger these calls, making the attack path straightforward for unauthenticated contributors to the public workspace.

Generated by OpenCVE AI on May 14, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.7.0 or later to apply the fix that corrects the authorization checks on the eight APIs.
  • If an immediate upgrade is not feasible, block external access to the affected API endpoints (eg, POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST /api/storage/updateRecentDocOpenTime, POST /api/storage/batchUpdateRecentDocCloseTime, and POST /api/search/updateEmbedBlock) using firewall or server configuration, and disable publish‑mode for sensitive workspaces.
  • Rotate or revoke any existing JWTs assigned to the publish‑service RoleReader and RoleEditor roles on read‑only workspaces, ensuring that only authorized administrators have access to the protected endpoints.

Generated by OpenCVE AI on May 14, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmmv-4cc5-wr9r SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST /api/storage/updateRecentDocOpenTime, POST /api/storage/batchUpdateRecentDocCloseTime, and POST /api/search/updateEmbedBlock are registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly. Each of them writes server-side state, including atomic rewrites of <workspace>/conf/conf.json via model.Conf.Save(). Any caller whose JWT passes CheckAuth, including a publish-service RoleReader (the role assigned to anonymous publish visitors) and a RoleEditor against a workspace where Editor.ReadOnly = true, can hit them This vulnerability is fixed in 3.7.0.
Title SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
Weaknesses CWE-285
CWE-862
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:19.202Z

Reserved: 2026-05-12T00:51:29.086Z

Link: CVE-2026-45371

cve-icon Vulnrichment

Updated: 2026-05-15T16:40:11.849Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:38.897

Modified: 2026-05-15T19:17:01.757

Link: CVE-2026-45371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses