Executive Summary

CVE-2026-44652 is a Server-Side Request Forgery (SSRF) vulnerability in SillyTavern versions 1.17.0 and earlier. The issue occurs because the corsProxyMiddleware forwards user-controlled URL parameters directly into a fetch request without proper validation.

This means an attacker can manipulate the URL parameter to make the server send requests to internal or sensitive network resources that should not be accessible, bypassing restrictions that only block circular requests to the host itself.

The vulnerability arises because there is no destination allowlist or blocking of private/loopback addresses, allowing potential access to unintended internal services or metadata endpoints.

This vulnerability was fixed in SillyTavern version 1.18.0 by introducing a server-side request filter (Private Request Whitelisting), although this filter is disabled by default and must be manually enabled and configured for network-hosted instances.

Useful 0 Not Useful 0

Impact Analysis

This SSRF vulnerability can allow attackers to access internal or sensitive network resources that are normally protected from external access.

Potential impacts include unauthorized access to internal services, exposure of sensitive data, and exploitation of internal network infrastructure.

Because the vulnerability bypasses restrictions on private and loopback addresses, attackers might reach metadata endpoints or other internal APIs that could lead to further compromise.

If the server is hosting sensitive or critical services, this could lead to data breaches or service disruptions.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves the corsProxyMiddleware forwarding user-controlled URL parameters directly into fetch requests without proper validation, enabling SSRF attacks. Detection can focus on monitoring or analyzing requests made to the SillyTavern instance, especially those that include unusual or unexpected URLs in the parameters forwarded by the CORS proxy middleware.

You can look for suspicious outgoing requests from the SillyTavern server to internal or private IP addresses or metadata endpoints that should normally be inaccessible.

Example commands to detect potential exploitation attempts might include:

• Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the SillyTavern server and filter for internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).
• Using curl or wget to test the proxy endpoint with crafted URLs to see if internal resources can be accessed, for example: curl 'http://localhost:PORT/path?url=http://169.254.169.254/latest/meta-data/'
• Checking application logs for requests containing suspicious URL parameters that point to internal or private IP addresses.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in SillyTavern version 1.18.0 by introducing a server-side request filter (Private Request Whitelisting). The immediate mitigation steps are:

• Upgrade SillyTavern to version 1.18.0 or later where the vulnerability is addressed.
• If upgrading is not immediately possible, manually enable and configure the Private Request Whitelisting filter in the CORS proxy middleware to restrict requests to allowed destinations and block private or loopback addresses.
• Monitor and restrict network access to the SillyTavern instance to trusted users and networks to reduce exposure.
• Review and audit any existing configurations or customizations of the CORS proxy middleware to ensure no unsafe forwarding of URLs occurs.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the SSRF vulnerability in SillyTavern affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0