CVE-2026-45371: CWE-285: Improper Authorization in siyuan-note siyuan
SiYuan versions prior to 3. 7. 0 contain an improper authorization vulnerability where certain publish-mode Reader roles can modify configuration and SQL index data via eight APIs that lack proper admin or readonly checks. This allows any caller with a JWT passing basic authentication, including anonymous publish visitors, to write server-side state such as workspace configuration files. The issue is fixed in version 3. 7. 0.
AI Analysis
Technical Summary
CVE-2026-45371 is an improper authorization vulnerability in SiYuan (an open-source personal knowledge management system) versions before 3.7.0. Eight POST APIs related to graph data, sync intervals, document view times, and search embedding are protected only by a basic authentication check (model.CheckAuth) but omit more restrictive checks like model.CheckAdminRole and model.CheckReadonly. Consequently, users with a RoleReader in publish mode or RoleEditor with readonly workspace permissions can invoke these APIs to mutate server-side state, including atomic rewrites of the workspace configuration file conf.json. This vulnerability allows unauthorized state changes by roles that should have limited or no write permissions. The vulnerability is resolved in SiYuan 3.7.0.
Potential Impact
Attackers or unauthorized users with a JWT passing the basic authentication check can modify critical server-side configuration and SQL index data. This can lead to unauthorized changes in workspace settings and potentially disrupt normal operation or data integrity. The vulnerability affects all SiYuan instances running versions earlier than 3.7.0. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade SiYuan to version 3.7.0 or later, where this improper authorization vulnerability is fixed. Since no official patch or temporary fix is documented beyond this version upgrade, applying the update is the recommended remediation. Patch status is not explicitly confirmed beyond the version fix note; verify with the vendor advisory for any additional guidance.
CVE-2026-45371: CWE-285: Improper Authorization in siyuan-note siyuan
Description
SiYuan versions prior to 3. 7. 0 contain an improper authorization vulnerability where certain publish-mode Reader roles can modify configuration and SQL index data via eight APIs that lack proper admin or readonly checks. This allows any caller with a JWT passing basic authentication, including anonymous publish visitors, to write server-side state such as workspace configuration files. The issue is fixed in version 3. 7. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45371 is an improper authorization vulnerability in SiYuan (an open-source personal knowledge management system) versions before 3.7.0. Eight POST APIs related to graph data, sync intervals, document view times, and search embedding are protected only by a basic authentication check (model.CheckAuth) but omit more restrictive checks like model.CheckAdminRole and model.CheckReadonly. Consequently, users with a RoleReader in publish mode or RoleEditor with readonly workspace permissions can invoke these APIs to mutate server-side state, including atomic rewrites of the workspace configuration file conf.json. This vulnerability allows unauthorized state changes by roles that should have limited or no write permissions. The vulnerability is resolved in SiYuan 3.7.0.
Potential Impact
Attackers or unauthorized users with a JWT passing the basic authentication check can modify critical server-side configuration and SQL index data. This can lead to unauthorized changes in workspace settings and potentially disrupt normal operation or data integrity. The vulnerability affects all SiYuan instances running versions earlier than 3.7.0. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade SiYuan to version 3.7.0 or later, where this improper authorization vulnerability is fixed. Since no official patch or temporary fix is documented beyond this version upgrade, applying the update is the recommended remediation. Patch status is not explicitly confirmed beyond the version fix note; verify with the vendor advisory for any additional guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T00:51:29.086Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06e21cec166c07b0e8f088
Added to database: 5/15/2026, 9:06:36 AM
Last enriched: 5/15/2026, 9:09:34 AM
Last updated: 5/15/2026, 6:19:46 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.