Executive Summary

CVE-2026-44648 is a vulnerability in SillyTavern versions 1.17.0 and earlier where user sessions remain active even after a password change, allowing session reuse and potential account takeover.

This happens because SillyTavern uses stateless authentication with signed cookies that store session data on the client side. When a user changes their password via certain API endpoints, the password hash is updated in the database but active sessions are not invalidated.

As a result, an attacker who has stolen a session cookie can continue to access the account indefinitely, even after the victim resets their password. The default cookie lifespan of 400 days makes this vulnerability exploitable for a long time.

This vulnerability was fixed in version 1.18.0 by adding session invalidation upon password changes.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in SillyTavern allows existing user sessions to remain active even after a password change, enabling potential account takeover due to insufficient session expiration.

This weakness can impact compliance with common standards and regulations such as GDPR and HIPAA, which require proper session management and timely revocation of access to protect user data confidentiality and integrity.

Failure to invalidate sessions after password changes may lead to unauthorized access, increasing the risk of data breaches and non-compliance with security controls mandated by these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to user accounts because active sessions are not revoked after a password change.

An attacker with a stolen session cookie can maintain access indefinitely, potentially leading to account takeover.

The impacts include high confidentiality, integrity, and availability risks, meaning sensitive data could be exposed or altered, and service availability could be affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves SillyTavern versions 1.17.0 and earlier where session cookies remain valid even after a password change. Detection involves monitoring for active session cookies that persist beyond password resets.

You can check for the presence of valid session cookies after a password change by observing HTTP requests to the SillyTavern server, especially to the endpoints POST /api/users/change-password and POST /api/users/recover-step2.

Suggested commands include using network traffic inspection tools like curl or wget to simulate password changes and then verifying if the session cookie remains valid.

• Use curl to change the password: curl -X POST https://<sillytavern-host>/api/users/change-password -d '{"password":"newpass"}' -H 'Content-Type: application/json' -b 'session_cookie=value'
• After password change, attempt to access a protected resource with the same session cookie: curl -X GET https://<sillytavern-host>/api/protected-resource -b 'session_cookie=value'

If access is still granted using the old session cookie after password change, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade SillyTavern to version 1.18.0 or later, where the vulnerability is fixed by invalidating sessions upon password changes.

Until the upgrade is applied, consider the following immediate steps:

• Manually invalidate or clear all active session cookies after a password change.
• Inform users to log out and log back in after changing their password.
• Reduce the lifespan of session cookies if possible to limit the window of exploitation.

These steps help reduce the risk of session reuse by attackers with stolen cookies.

Useful 0 Not Useful 0