{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44649/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","header-injection","account-takeover","cve-2026-44649"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern versions 1.17.0 and earlier contain an authentication bypass vulnerability related to Single Sign-On (SSO) header handling. When SSO is configured with Authelia or Authentik, the application trusts the \u003ccode\u003eRemote-User\u003c/code\u003e and \u003ccode\u003eX-Authentik-Username\u003c/code\u003e HTTP headers to automatically log in users. However, there\u0026rsquo;s no validation to ensure these headers originate from a trusted reverse proxy. This lack of validation allows any network client capable of reaching the SillyTavern port to inject arbitrary headers and authenticate as any user, including administrators, without providing valid credentials. This vulnerability is only exploitable when \u003ccode\u003esso.autheliaAuth: true\u003c/code\u003e or \u003ccode\u003esso.authentikAuth: true\u003c/code\u003e is set in the \u003ccode\u003econfig.yaml\u003c/code\u003e file. This issue was resolved in version 1.18.0 by introducing a configuration option to limit the IP addresses authorized to use SSO headers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SillyTavern instance with SSO enabled for Authelia or Authentik (sso.autheliaAuth or sso.authentikAuth set to true in config.yaml).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/users/list\u003c/code\u003e to enumerate valid usernames. This endpoint is publicly accessible.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON list of user handles, including administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request, injecting either the \u003ccode\u003eRemote-User\u003c/code\u003e or \u003ccode\u003eX-Authentik-Username\u003c/code\u003e header with the target username (e.g., \u0026ldquo;admin-user\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted request to the \u003ccode\u003e/login\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe SillyTavern server\u0026rsquo;s \u003ccode\u003eheaderUserLogin\u003c/code\u003e function reads the injected header and creates an authenticated session for the specified user without any validation.\u003c/li\u003e\n\u003cli\u003eThe attacker receives a valid session cookie (\u003ccode\u003eauthsession\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves a CSRF token from the \u003ccode\u003e/csrf-token\u003c/code\u003e endpoint using the session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access administrative endpoints (e.g., \u003ccode\u003e/api/users/admin/get\u003c/code\u003e) using the injected session and CSRF token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to complete account takeover, enabling an attacker to perform any action authorized for the impersonated user, including accessing sensitive data, modifying configurations, and performing other administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SillyTavern version 1.18.0 or later, which includes a configuration option to limit authorized IP addresses for SSO headers (see Resolution section in the advisory).\u003c/li\u003e\n\u003cli\u003eApply the configuration to limit SSO header authorization to only loopback addresses (127.0.0.1) or trusted reverse proxy IPs, as documented in \u003ca href=\"https://docs.sillytavern.app/administration/sso/\"\u003ehttps://docs.sillytavern.app/administration/sso/\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern User Enumeration via /api/users/list\u0026rdquo; to identify attempts to enumerate user accounts using the publicly accessible API endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SillyTavern Authentication Bypass via Header Injection\u0026rdquo; to detect requests with injected Remote-User or X-Authentik-Username headers to the /login endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:24:31Z","date_published":"2026-05-12T22:24:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/","summary":"SillyTavern versions 1.17.0 and earlier are vulnerable to an authentication bypass (CVE-2026-44649) via HTTP header injection, where the application accepts Remote-User and X-Authentik-Username headers for SSO without proper validation, allowing attackers to impersonate any user, including administrators, if SSO is enabled.","title":"SillyTavern Authentication Bypass via HTTP Header Injection (CVE-2026-44649)","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-44649","version":"https://jsonfeed.org/version/1.1"}