Improper Authorization in SiYuan Knowledge Management System
CVE-2026-45371

7.2HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 14 May 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-45371?

The SiYuan Knowledge Management System, an open-source platform, contains a vulnerability that allows unauthorized users to alter configurations and SQL indices via eight unsecured APIs. These APIs, which include endpoints for fetching graphs and updating document views, are accessible to any user whose JSON Web Token (JWT) passes basic authentication checks. Notably, this risk is exacerbated for users with minimal permissions, such as anonymous visitors or users in read-only workspaces. The issue has been addressed in version 3.7.0, which enforces more stringent access controls.

Affected Version(s)

siyuan < 3.7.0

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45371 Data

JSON