Insufficient Authorization in SiYuan Knowledge Management System
CVE-2026-45147

4.3MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 14 May 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-45147?

The SiYuan Knowledge Management System is susceptible to an authorization bypass due to inadequate access control measures in the POST /api/tag/getTag endpoint. This flaw allows any authenticated user, including those with limited roles such as RoleReader and RoleEditor in a read-only workspace, to modify critical configuration settings. Specifically, an attacker can invoke this endpoint with a sorting argument to alter model.Conf.Tag.Sort and initiate model.Conf.Save(), resulting in the entire workspace's conf.json being rewritten. This severe oversight has been rectified in version 3.7.0.

Affected Version(s)

siyuan < 3.7.0

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45147 Data

JSON