Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14602 vulnerabilities reference this CWE, most recent first.

GHSA-6QWC-RQW2-F772

Vulnerability from github – Published: 2022-12-06 09:30 – Updated: 2022-12-07 18:30
VLAI
Details

In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-06T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.",
  "id": "GHSA-6qwc-rqw2-f772",
  "modified": "2022-12-07T18:30:27Z",
  "published": "2022-12-06T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39090"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1599588060988411006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R2G-MFV9-3VR8

Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T15:16:02Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22.",
  "id": "GHSA-6r2g-mfv9-3vr8",
  "modified": "2026-04-01T18:35:02Z",
  "published": "2025-05-07T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47485"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/cozy-addons/vulnerability/wordpress-cozy-blocks-2-1-22-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R3H-C2FG-866F

Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 21:31
VLAI
Details

In power manager, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T01:15:11Z",
    "severity": "HIGH"
  },
  "details": "In power manager, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed",
  "id": "GHSA-6r3h-c2fg-866f",
  "modified": "2023-12-07T21:31:08Z",
  "published": "2023-12-04T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42746"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R3Q-WQ2W-2RXP

Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-05-02 18:30
VLAI
Details

The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-02T17:15:27Z",
    "severity": "MODERATE"
  },
  "details": "The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery.",
  "id": "GHSA-6r3q-wq2w-2rxp",
  "modified": "2024-05-02T18:30:54Z",
  "published": "2024-05-02T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3581"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/maxgalleria/trunk/maxgalleria-image-gallery.php#L95"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3070919%40maxgalleria%2Ftrunk\u0026old=3059014%40maxgalleria%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0629798c-ede2-43ac-9ec4-2cd99cd34ae2?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R4G-8VRX-4GMQ

Vulnerability from github – Published: 2025-05-19 21:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T20:15:23Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.",
  "id": "GHSA-6r4g-8vrx-4gmq",
  "modified": "2026-04-28T21:35:38Z",
  "published": "2025-05-19T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39350"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/wproject/vulnerability/wordpress-wproject-theme-5-8-0-unauthenticated-post-comment-attachment-modification-deletion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R7V-R49R-49R5

Vulnerability from github – Published: 2024-06-10 09:31 – Updated: 2024-09-25 15:31
VLAI
Details

Missing Authorization vulnerability in A WP Life Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow.This issue affects Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow: from n/a through 1.3.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T08:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in A WP Life Media Slider \u2013 Photo Sleder, Video Slider, Link Slider, Carousal Slideshow.This issue affects Media Slider \u2013 Photo Sleder, Video Slider, Link Slider, Carousal Slideshow: from n/a through 1.3.9.",
  "id": "GHSA-6r7v-r49r-49r5",
  "modified": "2024-09-25T15:31:10Z",
  "published": "2024-06-10T09:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35717"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/media-slider/wordpress-media-slider-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R7V-WW2R-2QPR

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30
VLAI
Details

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T07:16:28Z",
    "severity": "MODERATE"
  },
  "details": "The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.",
  "id": "GHSA-6r7v-ww2r-2qpr",
  "modified": "2026-06-24T09:30:47Z",
  "published": "2026-06-24T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8690"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rentmy-online-rental-shop/trunk/includes/class-rentmy-ajax.php#L16"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rentmy-online-rental-shop/trunk/includes/class-rentmy-ajax.php#L53"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rentmy-online-rental-shop/trunk/includes/class-rentmy-ajax.php#L73"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/rentmy-online-rental-shop/trunk/includes/class-rentmy-ajax.php#L83"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd399ed3-03b2-477c-b38c-549d6066b6e8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R7X-H2CV-64J8

Vulnerability from github – Published: 2024-06-09 12:30 – Updated: 2024-06-09 12:30
VLAI
Details

Missing Authorization vulnerability in CodeRevolution Aiomatic.This issue affects Aiomatic: from n/a through 1.9.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-09T12:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in CodeRevolution Aiomatic.This issue affects Aiomatic: from n/a through 1.9.3.",
  "id": "GHSA-6r7x-h2cv-64j8",
  "modified": "2024-06-09T12:30:53Z",
  "published": "2024-06-09T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34435"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/aiomatic-automatic-ai-content-writer/wordpress-aiomatic-plugin-1-9-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R87-MG59-2PRC

Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2026-04-08 18:32
VLAI
Details

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T01:43:49Z",
    "severity": "MODERATE"
  },
  "details": "The Paid Membership Subscriptions \u2013 Effortless Memberships, Recurring Payments \u0026 Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.",
  "id": "GHSA-6r87-mg59-2prc",
  "modified": "2026-04-08T18:32:40Z",
  "published": "2024-02-29T03:33:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1390"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3034497%40paid-member-subscriptions%2Ftrunk\u0026old=3031453%40paid-member-subscriptions%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R88-8V7Q-Q4P2

Vulnerability from github – Published: 2026-05-13 15:32 – Updated: 2026-05-15 23:45
VLAI
Summary
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
Details

Summary

POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service RoleReader accounts and RoleEditor accounts on a read-only workspace — can call this endpoint with a sort argument to mutate model.Conf.Tag.Sort and trigger model.Conf.Save(), which atomically rewrites the entire workspace conf.json.

Same root-cause class as the patched GHSA-4j3x-hhg2-fm2x (which fixed missing CheckAdminRole + CheckReadonly on /api/template/renderSprig).

Details

Affected files / lines (v3.6.5):

kernel/api/router.go:170 — only CheckAuth:

ginServer.Handle("POST", "/api/tag/getTag", model.CheckAuth, getTag)
// Compare the sibling registrations on the next two lines, which DO gate writes:
ginServer.Handle("POST", "/api/tag/renameTag", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renameTag)
ginServer.Handle("POST", "/api/tag/removeTag", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, removeTag)

kernel/api/tag.go:28-64 — handler. The if nil != arg["sort"] block writes config without any role check:

func getTag(c *gin.Context) {
    ret := gulu.Ret.NewResult()
    defer c.JSON(http.StatusOK, ret)
    arg, ok := util.JsonArg(c, ret)
    if !ok { return }
    ...
    if nil != arg["sort"] {                    // ← unauthorized write path
        sortVal, ok := util.ParseJsonArg[float64]("sort", arg, ret, true, false)
        if !ok { return }
        model.Conf.Tag.Sort = int(sortVal)
        model.Conf.Save()                      // persists entire conf to <workspace>/conf/conf.json
    }
    ...
}

Conf.Save() rewrites the entire configuration file, which means a malicious caller racing with a legitimate config change can roll back another user's setting (TOCTOU on the global config object).

PoC

Same Docker setup as Advisory 1.

# 1. Authenticate (any role with CheckAuth pass — admin used here for convenience).
curl -s -c /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/loginAuth \
  -H 'Content-Type: application/json' -d '{"authCode":"audittest"}' >/dev/null

# 2. Read current Conf.Tag.Sort.
curl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/getConf \
  -H 'Content-Type: application/json' -d '{}' \
  | python3 -c "import json,sys;print('Conf.Tag.Sort BEFORE =',json.load(sys.stdin)['data']['conf']['tag']['sort'])"
# → Conf.Tag.Sort BEFORE = 4

# 3. Mutate via the read-style endpoint.
curl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/tag/getTag \
  -H 'Content-Type: application/json' -d '{"sort": 7}'
# → {"code":0,"msg":"","data":[]}

# 4. Confirm in-memory.
curl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/getConf \
  -H 'Content-Type: application/json' -d '{}' \
  | python3 -c "import json,sys;print('Conf.Tag.Sort AFTER =',json.load(sys.stdin)['data']['conf']['tag']['sort'])"
# → Conf.Tag.Sort AFTER = 7

# 5. Confirm persisted to disk inside the container.
docker exec siyuan-audit grep -o 'sort":[0-9]*' /siyuan/workspace/conf/conf.json
# → sort":7

The vulnerability is exposed to publish-mode RoleReader (default for any anonymous publish visitor) and to RoleEditor users on workspaces where the administrator has set Editor.ReadOnly = true.

Impact

Limited direct damage — the writable field is only the tag display sort order. The pattern is concerning because:

  • It demonstrates the same gap that GHSA-4j3x-hhg2-fm2x was meant to flag broadly (missing CheckAdminRole + CheckReadonly on a read-style endpoint that performs writes); each occurrence has to be patched individually.
  • Conf.Save() rewrites the whole file, so a write-race during a legitimate configuration change can overwrite unrelated user-set values.
  • A publish-service Reader being able to mutate any server state at all violates the intended trust boundary.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260512140701-d7b77d945e0d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:32:35Z",
    "nvd_published_at": "2026-05-14T19:16:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`POST /api/tag/getTag` is registered with `model.CheckAuth` only, omitting both `model.CheckAdminRole` and `model.CheckReadonly`, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user \u2014 including publish-service `RoleReader` accounts and `RoleEditor` accounts on a read-only workspace \u2014 can call this endpoint with a `sort` argument to mutate `model.Conf.Tag.Sort` and trigger `model.Conf.Save()`, which atomically rewrites the entire workspace `conf.json`.\n\nSame root-cause class as the patched `GHSA-4j3x-hhg2-fm2x` (which fixed missing `CheckAdminRole + CheckReadonly` on `/api/template/renderSprig`).\n\n### Details\n\n**Affected files / lines (v3.6.5):**\n\n`kernel/api/router.go:170` \u2014 only `CheckAuth`:\n\n```go\nginServer.Handle(\"POST\", \"/api/tag/getTag\", model.CheckAuth, getTag)\n// Compare the sibling registrations on the next two lines, which DO gate writes:\nginServer.Handle(\"POST\", \"/api/tag/renameTag\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renameTag)\nginServer.Handle(\"POST\", \"/api/tag/removeTag\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, removeTag)\n```\n\n`kernel/api/tag.go:28-64` \u2014 handler. The `if nil != arg[\"sort\"]` block writes config without any role check:\n\n```go\nfunc getTag(c *gin.Context) {\n    ret := gulu.Ret.NewResult()\n    defer c.JSON(http.StatusOK, ret)\n    arg, ok := util.JsonArg(c, ret)\n    if !ok { return }\n    ...\n    if nil != arg[\"sort\"] {                    // \u2190 unauthorized write path\n        sortVal, ok := util.ParseJsonArg[float64](\"sort\", arg, ret, true, false)\n        if !ok { return }\n        model.Conf.Tag.Sort = int(sortVal)\n        model.Conf.Save()                      // persists entire conf to \u003cworkspace\u003e/conf/conf.json\n    }\n    ...\n}\n```\n\n`Conf.Save()` rewrites the **entire** configuration file, which means a malicious caller racing with a legitimate config change can roll back another user\u0027s setting (TOCTOU on the global config object).\n\n### PoC\n\nSame Docker setup as Advisory 1.\n\n```bash\n# 1. Authenticate (any role with CheckAuth pass \u2014 admin used here for convenience).\ncurl -s -c /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/loginAuth \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{\"authCode\":\"audittest\"}\u0027 \u003e/dev/null\n\n# 2. Read current Conf.Tag.Sort.\ncurl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/getConf \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{}\u0027 \\\n  | python3 -c \"import json,sys;print(\u0027Conf.Tag.Sort BEFORE =\u0027,json.load(sys.stdin)[\u0027data\u0027][\u0027conf\u0027][\u0027tag\u0027][\u0027sort\u0027])\"\n# \u2192 Conf.Tag.Sort BEFORE = 4\n\n# 3. Mutate via the read-style endpoint.\ncurl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/tag/getTag \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{\"sort\": 7}\u0027\n# \u2192 {\"code\":0,\"msg\":\"\",\"data\":[]}\n\n# 4. Confirm in-memory.\ncurl -s -b /tmp/sy.cookie -X POST http://127.0.0.1:6806/api/system/getConf \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{}\u0027 \\\n  | python3 -c \"import json,sys;print(\u0027Conf.Tag.Sort AFTER =\u0027,json.load(sys.stdin)[\u0027data\u0027][\u0027conf\u0027][\u0027tag\u0027][\u0027sort\u0027])\"\n# \u2192 Conf.Tag.Sort AFTER = 7\n\n# 5. Confirm persisted to disk inside the container.\ndocker exec siyuan-audit grep -o \u0027sort\":[0-9]*\u0027 /siyuan/workspace/conf/conf.json\n# \u2192 sort\":7\n```\n\nThe vulnerability is exposed to publish-mode `RoleReader` (default for any anonymous publish visitor) and to `RoleEditor` users on workspaces where the administrator has set `Editor.ReadOnly = true`.\n\n### Impact\n\nLimited direct damage \u2014 the writable field is only the tag display sort order. The pattern is concerning because:\n\n- It demonstrates the same gap that `GHSA-4j3x-hhg2-fm2x` was meant to flag broadly (missing `CheckAdminRole + CheckReadonly` on a read-style endpoint that performs writes); each occurrence has to be patched individually.\n- `Conf.Save()` rewrites the whole file, so a write-race during a legitimate configuration change can overwrite unrelated user-set values.\n- A publish-service Reader being able to mutate any server state at all violates the intended trust boundary.",
  "id": "GHSA-6r88-8v7q-q4p2",
  "modified": "2026-05-15T23:45:15Z",
  "published": "2026-05-13T15:32:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6r88-8v7q-q4p2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45147"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Broken access control in `/api/tag/getTag` \u2014 Reader role can mutate `Conf.Tag.Sort` and persist to disk"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.