How is CVE-2026-44649 exploited?

Network reachability (required): The attacker must be able to reach the SillyTavern HTTP port directly over the network, bypassing any reverse proxy. Authentication (not-required): No credentials are needed; the injected SSO header itself is treated as proof of identity. Victim interaction (not-required): Exploitation is a direct HTTP request from the attacker; no user has to click or visit anything. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free once the port is reachable and SSO is enabled in config.yaml.

What is the impact of CVE-2026-44649?

Authenticates as any chosen account, including administrator, without a password. Reads stored chats, prompts, API keys, and any user data managed by the SillyTavern instance. Modifies user settings, personas, and server configuration through the impersonated session. Can disrupt or take over the service by altering admin-controlled settings and credentials.

Back to search

CRITICALCVE-2026-44649Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44649: SillyTavern: Authentication Bypass via SSO Header Injection

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass in SillyTavern, a local UI for interacting with text/image/voice generation models, allows unauthenticated network attackers to log in as any user including administrators. The flaw lives in SSO header handling: SillyTavern trusts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers without confirming they came from a trusted reverse proxy, so any client that can reach the listening port directly can inject the header and impersonate an account. Exploitation requires that sso.autheliaAuth or sso.authentikAuth is enabled in config.yaml (both default off). A patched-image rebuild at version 1.18.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against SillyTavern images in customer registries and CI pipelines, including custom-built images that repackage SillyTavern below 1.18.0.

Available

Triage

Triage is available with the published CVSS 9.8 Critical score weighted against each customer's compliance policy (for example, environments that expose SillyTavern beyond localhost or enable SSO see elevated routing priority). Findings are delivered to the appropriate inbox inside each customer organization based on image ownership.

Available

Patch

A patched-image rebuild at SillyTavern 1.18.0 becomes available on HarborGuard for affected workloads. For customers who opt into auto-remediation, the rebuild is produced, run through the regression suite, and a pull request is opened against the affected workloads to swap the image tag.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the SillyTavern HTTP port directly over the network, bypassing any reverse proxy.
AuthenticationNot required
No credentials are needed; the injected SSO header itself is treated as proof of identity.
Victim interactionNot required
Exploitation is a direct HTTP request from the attacker; no user has to click or visit anything.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free once the port is reachable and SSO is enabled in config.yaml.

Blast Radius

Authenticates as any chosen account, including administrator, without a password.
Reads stored chats, prompts, API keys, and any user data managed by the SillyTavern instance.
Modifies user settings, personas, and server configuration through the impersonated session.
Can disrupt or take over the service by altering admin-controlled settings and credentials.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at SillyTavern 1.18.0 is offered for any environment running an affected version. For customers with auto-remediation enabled, the rebuild is generated, regression-tested, and proposed via a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. Where compliance policy blocks auto-remediation, the finding is routed for manual review with the fixed version called out, and compensating controls are suggested in the interim: bind SillyTavern to localhost or an internal interface, enforce a network policy that only permits the trusted reverse proxy to reach the port, or set sso.autheliaAuth and sso.authentikAuth to false until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

SillyTavern / SillyTavern
< 1.18.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-gxx6-h3g6-vwjh