PT-2026-40729 · Siyuan · Siyuan
CVSS v4.0
7.2
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SiYuan versions prior to 3.7.0
Description
SiYuan's publish-mode Reader can modify configuration and SQL index data through eight ungated APIs. These endpoints are registered with
model.CheckAuth but lack model.CheckAdminRole and model.CheckReadonly checks, allowing users with RoleReader (including anonymous visitors) or RoleEditor in read-only workspaces to write server-side state. This includes atomic rewrites of the <workspace>/conf/conf.json file via the model.Conf.Save() function.Technical details include:
- API Endpoints: '/api/graph/getGraph', '/api/graph/getLocalGraph', '/api/sync/setSyncInterval', '/api/storage/updateRecentDocViewTime', '/api/storage/updateRecentDocCloseTime', '/api/storage/updateRecentDocOpenTime', '/api/storage/batchUpdateRecentDocCloseTime', and '/api/search/updateEmbedBlock'.
- Vulnerable Parameters or Variables: The
intervalparameter in the sync API and theidandcontentparameters in the search API. - Function Names:
model.Conf.Save()is used to persist unauthorized configuration changes.
Impacts include the ability to manipulate cloud sync intervals, corrupt graph rendering settings, poison search results by modifying the SQL
blocks.content column, and manipulate the administrator's recent-documents list.Recommendations
Update to version 3.7.0.
Exploit
Fix
Improper Authorization
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Siyuan