{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sillytavern--1.17.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["medium"],"_cs_tags":["credential-access","session-reuse","web-application"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern, a popular open-source AI chatbot interface, is vulnerable to session reuse. Prior to version 1.18.0, changing a user\u0026rsquo;s password does not invalidate existing session cookies. This vulnerability stems from the application\u0026rsquo;s reliance on cookie-session for authentication, where session data is stored client-side. An attacker who has obtained a valid session cookie can maintain persistent access to a user\u0026rsquo;s account, even after the user changes their password. The default cookie lifespan of 400 days gives attackers a very long window for potential exploitation. Defenders should ensure that their SillyTavern installations are upgraded to version 1.18.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a user\u0026rsquo;s valid session cookie through methods like XSS, man-in-the-middle attacks, or physical access to the user\u0026rsquo;s device.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the stolen cookie into their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the SillyTavern application using the imported cookie.\u003c/li\u003e\n\u003cli\u003eThe victim, suspecting account compromise, changes their password via the \u003ccode\u003e/api/users/change-password\u003c/code\u003e endpoint or \u003ccode\u003e/api/users/recover-step2\u003c/code\u003e after initiating an account recovery.\u003c/li\u003e\n\u003cli\u003eThe SillyTavern application updates the password hash in the database but does not invalidate the existing session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker, still possessing the valid cookie, continues to access the victim\u0026rsquo;s account and perform privileged actions.\u003c/li\u003e\n\u003cli\u003eThe attacker views sensitive information, modifies user settings, or interacts with the AI chatbot as the compromised user.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains unauthorized access until the cookie expires, by default after 400 days.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers who have stolen session cookies to maintain persistent control over user accounts. Even after a password reset, attackers can continue accessing sensitive information, impersonate the user, and perform unauthorized actions. With a default cookie lifespan of 400 days, this vulnerability presents a significant risk of long-term account compromise, especially in environments where users may be slow to update their passwords or revoke sessions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SillyTavern installations to version 1.18.0 or later to address the session invalidation vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and deploy the \u0026ldquo;Detect SillyTavern Session Cookie Use After Password Change\u0026rdquo; Sigma rule to identify suspicious activity associated with session reuse.\u003c/li\u003e\n\u003cli\u003eImplement strict cookie security policies, including setting the \u003ccode\u003eHttpOnly\u003c/code\u003e and \u003ccode\u003eSecure\u003c/code\u003e flags, to reduce the risk of session cookie theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:25:05Z","date_published":"2026-05-12T22:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/","summary":"SillyTavern versions 1.17.0 and earlier do not invalidate existing sessions after a password change, allowing attackers with stolen session cookies to retain access, even after the victim resets their password, and nullifies the password reset as a recovery measure against session theft.","title":"SillyTavern Session Reuse After Password Change","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","header-injection","account-takeover","cve-2026-44649"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern versions 1.17.0 and earlier contain an authentication bypass vulnerability related to Single Sign-On (SSO) header handling. When SSO is configured with Authelia or Authentik, the application trusts the \u003ccode\u003eRemote-User\u003c/code\u003e and \u003ccode\u003eX-Authentik-Username\u003c/code\u003e HTTP headers to automatically log in users. However, there\u0026rsquo;s no validation to ensure these headers originate from a trusted reverse proxy. This lack of validation allows any network client capable of reaching the SillyTavern port to inject arbitrary headers and authenticate as any user, including administrators, without providing valid credentials. This vulnerability is only exploitable when \u003ccode\u003esso.autheliaAuth: true\u003c/code\u003e or \u003ccode\u003esso.authentikAuth: true\u003c/code\u003e is set in the \u003ccode\u003econfig.yaml\u003c/code\u003e file. This issue was resolved in version 1.18.0 by introducing a configuration option to limit the IP addresses authorized to use SSO headers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SillyTavern instance with SSO enabled for Authelia or Authentik (sso.autheliaAuth or sso.authentikAuth set to true in config.yaml).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/users/list\u003c/code\u003e to enumerate valid usernames. This endpoint is publicly accessible.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON list of user handles, including administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request, injecting either the \u003ccode\u003eRemote-User\u003c/code\u003e or \u003ccode\u003eX-Authentik-Username\u003c/code\u003e header with the target username (e.g., \u0026ldquo;admin-user\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted request to the \u003ccode\u003e/login\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe SillyTavern server\u0026rsquo;s \u003ccode\u003eheaderUserLogin\u003c/code\u003e function reads the injected header and creates an authenticated session for the specified user without any validation.\u003c/li\u003e\n\u003cli\u003eThe attacker receives a valid session cookie (\u003ccode\u003eauthsession\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves a CSRF token from the \u003ccode\u003e/csrf-token\u003c/code\u003e endpoint using the session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access administrative endpoints (e.g., \u003ccode\u003e/api/users/admin/get\u003c/code\u003e) using the injected session and CSRF token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to complete account takeover, enabling an attacker to perform any action authorized for the impersonated user, including accessing sensitive data, modifying configurations, and performing other administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SillyTavern version 1.18.0 or later, which includes a configuration option to limit authorized IP addresses for SSO headers (see Resolution section in the advisory).\u003c/li\u003e\n\u003cli\u003eApply the configuration to limit SSO header authorization to only loopback addresses (127.0.0.1) or trusted reverse proxy IPs, as documented in \u003ca href=\"https://docs.sillytavern.app/administration/sso/\"\u003ehttps://docs.sillytavern.app/administration/sso/\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern User Enumeration via /api/users/list\u0026rdquo; to identify attempts to enumerate user accounts using the publicly accessible API endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Authentication Bypass via Header Injection\u0026rdquo; to detect requests with injected Remote-User or X-Authentik-Username headers to the /login endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:24:31Z","date_published":"2026-05-12T22:24:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/","summary":"SillyTavern versions 1.17.0 and earlier are vulnerable to an authentication bypass (CVE-2026-44649) via HTTP header injection, where the application accepts Remote-User and X-Authentik-Username headers for SSO without proper validation, allowing attackers to impersonate any user, including administrators, if SSO is enabled.","title":"SillyTavern Authentication Bypass via HTTP Header Injection (CVE-2026-44649)","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2025-59159"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","web-application","CVE-2026-44650"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern, a popular open-source AI storytelling application, is vulnerable to a path traversal attack (CVE-2026-44650) affecting versions 1.17.0 and earlier. The vulnerability resides in the extensions API endpoints, specifically \u003ccode\u003e/api/extensions/delete\u003c/code\u003e, \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e. Due to insufficient validation and sanitization of the \u003ccode\u003eextensionName\u003c/code\u003e parameter, an unauthenticated attacker can send a crafted HTTP POST request with \u003ccode\u003eextensionName: \u0026quot;.\u0026quot;\u003c/code\u003e to these endpoints, causing the application to recursively delete the entire extensions directory. This vulnerability is exploitable by anyone with network access to the SillyTavern instance in its default configuration (basicAuthMode: false). Furthermore, this can be chained with CVE-2025-59159 (DNS rebinding) to enable remote exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable SillyTavern instance running version 1.17.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e endpoint (or \u003ccode\u003e/update\u003c/code\u003e, \u003ccode\u003e/version\u003c/code\u003e, \u003ccode\u003e/branches\u003c/code\u003e, \u003ccode\u003e/switch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON payload in the request body with the \u003ccode\u003eextensionName\u003c/code\u003e parameter set to \u003ccode\u003e.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application receives the request and proceeds to the \u003ccode\u003esrc/endpoints/extensions.js\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s validation logic incorrectly allows the \u003ccode\u003e.\u003c/code\u003e value because the check \u003ccode\u003e!request.body.extensionName\u003c/code\u003e occurs before sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize-filename\u003c/code\u003e function converts the \u003ccode\u003e.\u003c/code\u003e to an empty string \u0026ldquo;\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epath.join(basePath, \u0026quot;\u0026quot;)\u003c/code\u003e function concatenates the base extensions path with the empty string, resulting in the \u003ccode\u003ebasePath\u003c/code\u003e itself.\u003c/li\u003e\n\u003cli\u003eThe application then executes \u003ccode\u003efs.promises.rm(extensionPath, { recursive: true })\u003c/code\u003e, effectively deleting the entire extensions directory (e.g., \u003ccode\u003edata\\default-user\\extensions\\\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-44650) leads to the complete and unrecoverable removal of all installed third-party extensions from the SillyTavern instance. The default configuration of SillyTavern does not require authentication, making the vulnerability easily exploitable. If the application is configured with \u003ccode\u003eglobal: true\u003c/code\u003e and admin privileges, the attacker can also delete the global extensions directory, affecting all users. The vulnerability can be combined with CVE-2025-59159 (DNS rebinding) to enable unauthenticated remote exploitation from a malicious website. The CVSS score is 9.1 (Critical).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix from the advisory to the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e, \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e endpoints, ensuring that validation occurs \u003cem\u003eafter\u003c/em\u003e sanitization and including a path traversal guard (see \u0026ldquo;Suggested Fix\u0026rdquo; in the content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SillyTavern Path Traversal Attempt via Extension Deletion\u003c/code\u003e to detect attempts to exploit CVE-2026-44650 targeting the \u003ccode\u003e/api/extensions/delete\u003c/code\u003e endpoint based on the \u003ccode\u003eextensionName\u003c/code\u003e parameter value.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SillyTavern Path Traversal Attempt via Other Endpoints\u003c/code\u003e to detect attempts to exploit CVE-2026-44650 on the \u003ccode\u003e/api/extensions/update\u003c/code\u003e, \u003ccode\u003e/api/extensions/version\u003c/code\u003e, \u003ccode\u003e/api/extensions/branches\u003c/code\u003e, and \u003ccode\u003e/api/extensions/switch\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to the extensions API endpoints with suspicious \u003ccode\u003eextensionName\u003c/code\u003e values as an indicator of potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:24:16Z","date_published":"2026-05-12T22:24:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/","summary":"SillyTavern versions 1.17.0 and earlier contain a path traversal vulnerability, CVE-2026-44650, in the `/api/extensions/delete` endpoint (and others), allowing an unauthenticated user to delete the entire extensions directory by providing '.' as the extension name, leading to data loss and potential remote exploitation via chaining with CVE-2025-59159.","title":"SillyTavern Unauthenticated Path Traversal in Extensions API","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Sillytavern (\u003c= 1.17.0)","version":"https://jsonfeed.org/version/1.1"}