CVE-2026-44652 SillyTavern CVE debrief

Who should care

Organizations and individuals running SillyTavern instances, particularly those exposed to untrusted networks or hosting the application in environments with access to sensitive internal services

Technical summary

The corsProxyMiddleware in SillyTavern prior to 1.18.0 accepts a user-controlled URL parameter and passes it directly to a fetch() call. The middleware implements only minimal validation—blocking requests that would loop back to the application's own host—while failing to restrict destinations to an allowlist or block private IP ranges and loopback interfaces. This insufficient validation allows attackers to specify arbitrary URLs, including internal services and cloud metadata endpoints, resulting in Server-Side Request Forgery. The vulnerability is exploitable over the network without authentication and has been addressed in version 1.18.0.

Defensive priority

medium

Recommended defensive actions

• Upgrade SillyTavern to version 1.18.0 or later to remediate the SSRF vulnerability in corsProxyMiddleware
• If immediate patching is not feasible, restrict network access to the SillyTavern instance to trusted hosts only
• Review and implement destination allowlist controls for any custom proxy middleware configurations
• Monitor application logs for anomalous outbound requests that may indicate SSRF exploitation attempts
• Assess internal network segmentation to limit potential impact from successful SSRF attacks

Evidence notes

Vulnerability description and remediation status sourced from official CVE record and NVD entry. Fix version and technical details confirmed via GitHub Security Advisory. CVSS vector and CWE classification provided by NVD.

Official resources