CVE-2026-45148: SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode

May 13, 2026 (updated May 15, 2026)

The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.

References

github.com/advisories/GHSA-fmh9-gpqh-g53g
github.com/siyuan-note/siyuan/security/advisories/GHSA-fmh9-gpqh-g53g
nvd.nist.gov/vuln/detail/CVE-2026-45148

Code Behaviors & Features

Detect and mitigate CVE-2026-45148 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →