How is CVE-2026-44648 exploited?

Network reachability (required): The attacker must reach the SillyTavern web interface over the network to replay the captured session cookie. Authentication (not-required): No prior login to the target account is needed; the attacker reuses an existing session cookie rather than authenticating. Victim interaction (required): The victim must take an action that exposes or shares a session cookie (for example using a shared device or leaking the cookie through another channel) for the attacker to capture it. Attack complexity (info): Attack complexity is high because the attacker needs to obtain a valid prior session cookie, which depends on environmental factors outside the attacker's direct control.

What is the impact of CVE-2026-44648?

Reads all data accessible to the victim account, including chat history, stored prompts, and any configured API credentials for connected LLM, image, and voice backends. Modifies the victim's stored configuration, personas, and saved conversations, and can change account settings under the victim's identity. Disrupts the victim's use of the service by altering or deleting their data, and retains access even after the victim changes their password to try to lock the attacker out.

Back to search

HIGHCVE-2026-44648Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44648: SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Session fixation flaw in SillyTavern where existing sessions remain valid after a password change or recovery, enabling account takeover by anyone holding a previously issued session cookie. The bug is reachable over the network without authentication but requires user interaction and unusual conditions for an attacker to obtain a valid prior session, and successful exploitation allows full read, write, and disruption of the victim account. A patched-image rebuild at 1.18.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The advisory is ingested from upstream feeds within minutes of publication and matched against SillyTavern images in customer registries and pipelines, including custom-built images that bundle the affected version.

Available

Triage

Triage is available with the CVSS 7.5 (High) base score weighted against each customer's compliance policy, so environments that flag authentication and session-handling issues as elevated risk see the finding promoted accordingly. Findings route to the security inbox configured for the owning team inside each customer org.

Available

Patch

A patched-image rebuild at SillyTavern 1.18.0 is available on HarborGuard for environments running an affected version. Customers who opt into auto-remediation get the rebuilt image, a regression-test run, and a PR opened against the workloads that reference the vulnerable tag.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SillyTavern web interface over the network to replay the captured session cookie.
AuthenticationNot required
No prior login to the target account is needed; the attacker reuses an existing session cookie rather than authenticating.
Victim interactionRequired
The victim must take an action that exposes or shares a session cookie (for example using a shared device or leaking the cookie through another channel) for the attacker to capture it.
Attack complexityDetail
Attack complexity is high because the attacker needs to obtain a valid prior session cookie, which depends on environmental factors outside the attacker's direct control.

Blast Radius

Reads all data accessible to the victim account, including chat history, stored prompts, and any configured API credentials for connected LLM, image, and voice backends.
Modifies the victim's stored configuration, personas, and saved conversations, and can change account settings under the victim's identity.
Disrupts the victim's use of the service by altering or deleting their data, and retains access even after the victim changes their password to try to lock the attacker out.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at SillyTavern 1.18.0 for environments running an affected version. For customers with auto-remediation enabled, the rebuilt image is produced, run through regression tests, and proposed via a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy permits, operators should also rotate session signing keys after upgrading so that any cookies issued before the fix are invalidated, and consider network-policy isolation of the SillyTavern instance until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

SillyTavern / SillyTavern
< 1.18.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wmm3-h9qj-p5v6