CVE-2026-26286
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in SillyTavern allows authenticated users to make arbitrary HTTP requests from the server and read full responses, potentially accessing internal services, cloud metadata, and private network resources. It affects all SillyTavern installations running versions prior to 1.16.0. Users who have deployed SillyTavern locally are at risk.
💻 Affected Systems
- SillyTavern
📦 What is this software?
Sillytavern by Sillytavern
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, cloud metadata (potentially obtaining credentials), and private network resources, leading to full network compromise and data exfiltration.
Likely Case
Unauthorized access to internal services and metadata, potentially exposing sensitive information and enabling lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and access controls, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability allows reading full HTTP responses from arbitrary requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.0
Vendor Advisory: https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-cccp-94vg-j92r
Restart Required: Yes
Instructions:
1. Update SillyTavern to version 1.16.0 or later. 2. Restart the SillyTavern service. 3. Verify the whitelistImportDomains array in config.yaml contains only trusted domains.
🔧 Temporary Workarounds
Configure domain whitelist manually
allManually edit the config.yaml file to restrict asset downloads to trusted domains only
Edit config.yaml and ensure whitelistImportDomains array contains only necessary trusted domains
🧯 If You Can't Patch
- Restrict network access to SillyTavern server to prevent external exploitation
- Implement network segmentation to isolate SillyTavern from sensitive internal services
🔍 How to Verify
Check if Vulnerable:
Check SillyTavern version - if below 1.16.0, the system is vulnerable. Also check if asset download endpoint accepts arbitrary URLs.Check Version:
Check the SillyTavern interface or installation directory for version informationVerify Fix Applied:
Verify version is 1.16.0 or higher and test that asset download endpoint rejects non-whitelisted domains.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests from SillyTavern server to internal IP addresses or metadata endpoints
- Asset download requests to non-standard domains
Network Indicators:
- Outbound HTTP requests from SillyTavern server to internal network ranges or metadata services
SIEM Query:
source="sillytavern" AND (dest_ip=169.254.169.254 OR dest_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])