CVE-2026-44649
SillyTavern Authentication Bypass via SSO Headers
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sillytavern | sillytavern | to 1.18.0 (exc) |
| sillytavern | sillytavern | 1.17.0 |
| sillytavern | sillytavern | 1.18.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44649 is a critical authentication bypass vulnerability in SillyTavern versions 1.17.0 and earlier. The vulnerability occurs because SillyTavern accepts certain HTTP headers (Remote-User for Authelia and X-Authentik-Username for Authentik) to automatically log in users when Single Sign-On (SSO) is enabled, without validating that these headers come from a trusted reverse proxy.
This means that any network client that can directly access the SillyTavern port can inject these headers and authenticate as any user, including administrators, without needing a password.
The root cause is that SillyTavern trusts these headers blindly because the underlying Express.js framework does not differentiate between headers from trusted proxies and those injected by clients.
This vulnerability is only exploitable when SSO is enabled for Authelia or Authentik in the configuration (sso.autheliaAuth: true or sso.authentikAuth: true). It was fixed in version 1.18.0 by adding an IP allowlist to restrict which sources can send these headers.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication and gain unauthorized access to any user account on SillyTavern, including administrator accounts, without needing a password.
An attacker with network access to the SillyTavern port can inject the required headers to impersonate any user, leading to full account takeover.
Additionally, attackers can enumerate valid usernames via a publicly accessible API endpoint (/api/users/list), which facilitates targeted attacks.
The impact includes complete compromise of confidentiality, integrity, and availability of the affected system, as attackers can perform any actions as the impersonated users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the SillyTavern instance is running a version prior to 1.18.0 with SSO enabled for Authelia or Authentik (sso.autheliaAuth: true or sso.authentikAuth: true). Additionally, user enumeration attempts against the publicly accessible /api/users/list endpoint can indicate probing for this vulnerability.
To detect exploitation attempts or test for the vulnerability, you can try sending HTTP requests with the headers "Remote-User" or "X-Authentik-Username" directly to the SillyTavern port and observe if authentication is granted without valid credentials.
- Use curl to test header injection: curl -v -H "Remote-User: admin" http://<sillytavern-host>:<port>/
- Check for user enumeration by querying the users list endpoint: curl http://<sillytavern-host>:<port>/api/users/list
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SillyTavern to version 1.18.0 or later, where the vulnerability is fixed by adding an IP allowlist configuration for SSO header authorization.
If upgrading is not immediately possible, disable SSO authentication for Authelia and Authentik by setting sso.autheliaAuth and sso.authentikAuth to false in the config.yaml file to prevent the vulnerable header-based authentication.
Additionally, restrict network access to the SillyTavern port so that only trusted reverse proxies or internal systems can reach it, preventing attackers from injecting malicious headers directly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass authentication and gain unauthorized access to any user account, including administrative accounts, without a password.
Such unauthorized access can lead to exposure or manipulation of sensitive personal or protected data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of user data.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to adequately protect user authentication and data confidentiality.