CVE-2026-45147

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0

Description The endpoint "/api/tag/getTag" is registered using only the model.CheckAuth middleware, missing the model.CheckAdminRole and model.CheckReadonly checks. This allows any authenticated user, including those with RoleReader or RoleEditor permissions on read-only workspaces, to perform unauthorized configuration writes. By providing a sort argument to the endpoint, an attacker can mutate model.Conf.Tag.Sort and trigger the model.Conf.Save() function, which atomically rewrites the entire workspace conf.json file. This can lead to the rollback of other legitimate configuration settings if a write-race occurs.

Recommendations Update to version 3.7.0. As a temporary workaround, restrict access to the "/api/tag/getTag" endpoint to authorized administrators only.