{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/session-reuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sillytavern (\u003c= 1.17.0)"],"_cs_severities":["medium"],"_cs_tags":["credential-access","session-reuse","web-application"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eSillyTavern, a popular open-source AI chatbot interface, is vulnerable to session reuse. Prior to version 1.18.0, changing a user\u0026rsquo;s password does not invalidate existing session cookies. This vulnerability stems from the application\u0026rsquo;s reliance on cookie-session for authentication, where session data is stored client-side. An attacker who has obtained a valid session cookie can maintain persistent access to a user\u0026rsquo;s account, even after the user changes their password. The default cookie lifespan of 400 days gives attackers a very long window for potential exploitation. Defenders should ensure that their SillyTavern installations are upgraded to version 1.18.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a user\u0026rsquo;s valid session cookie through methods like XSS, man-in-the-middle attacks, or physical access to the user\u0026rsquo;s device.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the stolen cookie into their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the SillyTavern application using the imported cookie.\u003c/li\u003e\n\u003cli\u003eThe victim, suspecting account compromise, changes their password via the \u003ccode\u003e/api/users/change-password\u003c/code\u003e endpoint or \u003ccode\u003e/api/users/recover-step2\u003c/code\u003e after initiating an account recovery.\u003c/li\u003e\n\u003cli\u003eThe SillyTavern application updates the password hash in the database but does not invalidate the existing session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker, still possessing the valid cookie, continues to access the victim\u0026rsquo;s account and perform privileged actions.\u003c/li\u003e\n\u003cli\u003eThe attacker views sensitive information, modifies user settings, or interacts with the AI chatbot as the compromised user.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains unauthorized access until the cookie expires, by default after 400 days.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers who have stolen session cookies to maintain persistent control over user accounts. Even after a password reset, attackers can continue accessing sensitive information, impersonate the user, and perform unauthorized actions. With a default cookie lifespan of 400 days, this vulnerability presents a significant risk of long-term account compromise, especially in environments where users may be slow to update their passwords or revoke sessions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SillyTavern installations to version 1.18.0 or later to address the session invalidation vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and deploy the \u0026ldquo;Detect SillyTavern Session Cookie Use After Password Change\u0026rdquo; Sigma rule to identify suspicious activity associated with session reuse.\u003c/li\u003e\n\u003cli\u003eImplement strict cookie security policies, including setting the \u003ccode\u003eHttpOnly\u003c/code\u003e and \u003ccode\u003eSecure\u003c/code\u003e flags, to reduce the risk of session cookie theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T22:25:05Z","date_published":"2026-05-12T22:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/","summary":"SillyTavern versions 1.17.0 and earlier do not invalidate existing sessions after a password change, allowing attackers with stolen session cookies to retain access, even after the victim resets their password, and nullifies the password reset as a recovery measure against session theft.","title":"SillyTavern Session Reuse After Password Change","url":"https://feed.craftedsignal.io/briefs/2026-05-sillytavern-session-reuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Session-Reuse","version":"https://jsonfeed.org/version/1.1"}