SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode — CVE-2026-45148
GitHub · GitHub · CVE-2026-45148
ID
CVE-2026-45148
CVE-2026-45148
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
4.3
4.3
Summary
### Summary The advisory `GHSA-c77m-r996-jr3q` patched `getBookmark` so that, when invoked by a publish-mode `RoleReader`, results are filtered through `FilterBlocksByPublishAccess` to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary. ###…
Product
go: github.com/siyuan-note/siyuan/kernel
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.