PT-2026-40729 · Siyuan · Siyuan

·

CVE-2026-45371

·

Published

2026-05-13

·

Updated

2026-06-25

CVSS v4.0

7.2

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0
Description SiYuan's publish-mode Reader can modify configuration and SQL index data through eight ungated APIs. These endpoints are registered with model.CheckAuth but lack model.CheckAdminRole and model.CheckReadonly checks, allowing users with RoleReader (including anonymous visitors) or RoleEditor in read-only workspaces to write server-side state. This includes atomic rewrites of the <workspace>/conf/conf.json file via the model.Conf.Save() function.
Technical details include:
  • API Endpoints: '/api/graph/getGraph', '/api/graph/getLocalGraph', '/api/sync/setSyncInterval', '/api/storage/updateRecentDocViewTime', '/api/storage/updateRecentDocCloseTime', '/api/storage/updateRecentDocOpenTime', '/api/storage/batchUpdateRecentDocCloseTime', and '/api/search/updateEmbedBlock'.
  • Vulnerable Parameters or Variables: The interval parameter in the sync API and the id and content parameters in the search API.
  • Function Names: model.Conf.Save() is used to persist unauthorized configuration changes.
Impacts include the ability to manipulate cloud sync intervals, corrupt graph rendering settings, poison search results by modifying the SQL blocks.content column, and manipulate the administrator's recent-documents list.
Recommendations Update to version 3.7.0.

Exploit

Fix

Improper Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45371
GHSA-GMMV-4CC5-WR9R
GO-2026-5402

Affected Products

Siyuan