https://feed.craftedsignal.io/products/sillytavern--1.17.0/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 22:25:05 +0000https://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/Tue, 12 May 2026 22:25:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/SillyTavern versions 1.17.0 and earlier do not invalidate existing sessions after a password change, allowing attackers with stolen session cookies to retain access, even after the victim resets their password, and nullifies the password reset as a recovery measure against session theft.SillyTavern, a popular open-source AI chatbot interface, is vulnerable to session reuse. Prior to version 1.18.0, changing a user’s password does not invalidate existing session cookies. This vulnerability stems from the application’s reliance on cookie-session for authentication, where session data is stored client-side. An attacker who has obtained a valid session cookie can maintain persistent access to a user’s account, even after the user changes their password. The default cookie lifespan of 400 days gives attackers a very long window for potential exploitation. Defenders should ensure that their SillyTavern installations are upgraded to version 1.18.0 or later to mitigate this risk.

Attack Chain

1. An attacker gains unauthorized access to a user’s valid session cookie through methods like XSS, man-in-the-middle attacks, or physical access to the user’s device.
2. The attacker imports the stolen cookie into their browser.
3. The attacker authenticates to the SillyTavern application using the imported cookie.
4. The victim, suspecting account compromise, changes their password via the /api/users/change-password endpoint or /api/users/recover-step2 after initiating an account recovery.
5. The SillyTavern application updates the password hash in the database but does not invalidate the existing session cookie.
6. The attacker, still possessing the valid cookie, continues to access the victim’s account and perform privileged actions.
7. The attacker views sensitive information, modifies user settings, or interacts with the AI chatbot as the compromised user.
8. The attacker maintains unauthorized access until the cookie expires, by default after 400 days.

Impact

Successful exploitation allows attackers who have stolen session cookies to maintain persistent control over user accounts. Even after a password reset, attackers can continue accessing sensitive information, impersonate the user, and perform unauthorized actions. With a default cookie lifespan of 400 days, this vulnerability presents a significant risk of long-term account compromise, especially in environments where users may be slow to update their passwords or revoke sessions.

Recommendation

• Upgrade SillyTavern installations to version 1.18.0 or later to address the session invalidation vulnerability.
• Enable web server logging and deploy the “Detect SillyTavern Session Cookie Use After Password Change” Sigma rule to identify suspicious activity associated with session reuse.
• Implement strict cookie security policies, including setting the HttpOnly and Secure flags, to reduce the risk of session cookie theft.

]]>mediumadvisorycredential-accesssession-reuseweb-applicationhttps://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/Tue, 12 May 2026 22:24:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/SillyTavern versions 1.17.0 and earlier are vulnerable to an authentication bypass (CVE-2026-44649) via HTTP header injection, where the application accepts Remote-User and X-Authentik-Username headers for SSO without proper validation, allowing attackers to impersonate any user, including administrators, if SSO is enabled.SillyTavern versions 1.17.0 and earlier contain an authentication bypass vulnerability related to Single Sign-On (SSO) header handling. When SSO is configured with Authelia or Authentik, the application trusts the Remote-User and X-Authentik-Username HTTP headers to automatically log in users. However, there’s no validation to ensure these headers originate from a trusted reverse proxy. This lack of validation allows any network client capable of reaching the SillyTavern port to inject arbitrary headers and authenticate as any user, including administrators, without providing valid credentials. This vulnerability is only exploitable when sso.autheliaAuth: true or sso.authentikAuth: true is set in the config.yaml file. This issue was resolved in version 1.18.0 by introducing a configuration option to limit the IP addresses authorized to use SSO headers.

Attack Chain

1. The attacker identifies a SillyTavern instance with SSO enabled for Authelia or Authentik (sso.autheliaAuth or sso.authentikAuth set to true in config.yaml).
2. The attacker sends a POST request to /api/users/list to enumerate valid usernames. This endpoint is publicly accessible.
3. The server responds with a JSON list of user handles, including administrator accounts.
4. The attacker crafts an HTTP request, injecting either the Remote-User or X-Authentik-Username header with the target username (e.g., “admin-user”).
5. The attacker sends this crafted request to the /login endpoint.
6. The SillyTavern server’s headerUserLogin function reads the injected header and creates an authenticated session for the specified user without any validation.
7. The attacker receives a valid session cookie (authsession).
8. The attacker retrieves a CSRF token from the /csrf-token endpoint using the session cookie.
9. The attacker can now access administrative endpoints (e.g., /api/users/admin/get) using the injected session and CSRF token.

Impact

Successful exploitation leads to complete account takeover, enabling an attacker to perform any action authorized for the impersonated user, including accessing sensitive data, modifying configurations, and performing other administrative tasks.

Recommendation

• Upgrade to SillyTavern version 1.18.0 or later, which includes a configuration option to limit authorized IP addresses for SSO headers (see Resolution section in the advisory).
• Apply the configuration to limit SSO header authorization to only loopback addresses (127.0.0.1) or trusted reverse proxy IPs, as documented in https://docs.sillytavern.app/administration/sso/.
• Deploy the Sigma rule “Detect SillyTavern User Enumeration via /api/users/list” to identify attempts to enumerate user accounts using the publicly accessible API endpoint.
• Deploy the Sigma rule “Detect SillyTavern Authentication Bypass via Header Injection” to detect requests with injected Remote-User or X-Authentik-Username headers to the /login endpoint.

]]>criticaladvisoryauthentication-bypassheader-injectionaccount-takeovercve-2026-44649https://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/Tue, 12 May 2026 22:24:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sillytavern-path-traversal/SillyTavern versions 1.17.0 and earlier contain a path traversal vulnerability, CVE-2026-44650, in the `/api/extensions/delete` endpoint (and others), allowing an unauthenticated user to delete the entire extensions directory by providing '.' as the extension name, leading to data loss and potential remote exploitation via chaining with CVE-2025-59159.SillyTavern, a popular open-source AI storytelling application, is vulnerable to a path traversal attack (CVE-2026-44650) affecting versions 1.17.0 and earlier. The vulnerability resides in the extensions API endpoints, specifically /api/extensions/delete, /api/extensions/update, /api/extensions/version, /api/extensions/branches, and /api/extensions/switch. Due to insufficient validation and sanitization of the extensionName parameter, an unauthenticated attacker can send a crafted HTTP POST request with extensionName: "." to these endpoints, causing the application to recursively delete the entire extensions directory. This vulnerability is exploitable by anyone with network access to the SillyTavern instance in its default configuration (basicAuthMode: false). Furthermore, this can be chained with CVE-2025-59159 (DNS rebinding) to enable remote exploitation.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable SillyTavern instance running version 1.17.0 or earlier.
2. The attacker crafts an HTTP POST request to the /api/extensions/delete endpoint (or /update, /version, /branches, /switch).
3. The attacker includes a JSON payload in the request body with the extensionName parameter set to ..
4. The application receives the request and proceeds to the src/endpoints/extensions.js file.
5. The application’s validation logic incorrectly allows the . value because the check !request.body.extensionName occurs before sanitization.
6. The sanitize-filename function converts the . to an empty string “”.
7. The path.join(basePath, "") function concatenates the base extensions path with the empty string, resulting in the basePath itself.
8. The application then executes fs.promises.rm(extensionPath, { recursive: true }), effectively deleting the entire extensions directory (e.g., data\default-user\extensions\).

Impact

Successful exploitation of this path traversal vulnerability (CVE-2026-44650) leads to the complete and unrecoverable removal of all installed third-party extensions from the SillyTavern instance. The default configuration of SillyTavern does not require authentication, making the vulnerability easily exploitable. If the application is configured with global: true and admin privileges, the attacker can also delete the global extensions directory, affecting all users. The vulnerability can be combined with CVE-2025-59159 (DNS rebinding) to enable unauthenticated remote exploitation from a malicious website. The CVSS score is 9.1 (Critical).

Recommendation

• Apply the suggested fix from the advisory to the /api/extensions/delete, /api/extensions/update, /api/extensions/version, /api/extensions/branches, and /api/extensions/switch endpoints, ensuring that validation occurs after sanitization and including a path traversal guard (see “Suggested Fix” in the content).
• Deploy the Sigma rule Detect SillyTavern Path Traversal Attempt via Extension Deletion to detect attempts to exploit CVE-2026-44650 targeting the /api/extensions/delete endpoint based on the extensionName parameter value.
• Deploy the Sigma rule Detect SillyTavern Path Traversal Attempt via Other Endpoints to detect attempts to exploit CVE-2026-44650 on the /api/extensions/update, /api/extensions/version, /api/extensions/branches, and /api/extensions/switch endpoints.
• Monitor web server logs for HTTP POST requests to the extensions API endpoints with suspicious extensionName values as an indicator of potential exploitation.

]]>criticaladvisorypath-traversalweb-applicationCVE-2026-44650