Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.
Published: 2026-05-29
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in SillyTavern allows an unauthenticated attacker to inject the Remote-User or X-Authentik-Username headers. Because the application performs no validation that these headers come from a trusted reverse proxy, the attacker can impersonate any user, including administrative accounts, and gain full control over the interface. This flaw is a direct authentication bypass (CWE‑290) combined with improper authorization checks (CWE‑306, CWE‑807). Successful exploitation leads to compromise of confidentiality, integrity, and availability for users of the service.

Affected Systems

Affected systems are local deployments of SillyTavern with a configuration file that has either sso.autheliaAuth or sso.authentikAuth set to true. The issue exists in all releases prior to version 1.18.0; version 1.18.0 and later contain the necessary validation to ensure headers originate from a trusted source.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a critical vulnerability, and while an EPSS score is currently unavailable, the lack of a KEV listing does not diminish the severity. Exploitation requires only network access to the SillyTavern port, which is typically local, so organization shouldn't ignore the issue. Because the vulnerability only manifests when SSO is enabled, the attack vector is a direct injection from a network client that can access the application host, and the exploitation can occur with no authentication prerequisites.

Generated by OpenCVE AI on May 29, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SillyTavern to version 1.18.0 or newer, which includes proper header validation.
  • Disable SSO features (set sso.autheliaAuth and sso.authentikAuth to false) until the patch is applied, or remove the SSO configuration from config.yaml if not required.
  • Restrict network access to the SillyTavern port, for example by implementing firewall rules or network segmentation, so that only trusted hosts can reach the service.

Generated by OpenCVE AI on May 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gxx6-h3g6-vwjh SillyTavern has Authentication Bypass via SSO Header Injection
History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Sillytavern
Sillytavern sillytavern
Vendors & Products Sillytavern
Sillytavern sillytavern

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.
Title SillyTavern: Authentication Bypass via SSO Header Injection
Weaknesses CWE-290
CWE-306
CWE-346
CWE-807
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sillytavern Sillytavern
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T17:45:26.073Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44649

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T19:16:24.720

Modified: 2026-05-29T20:17:38.110

Link: CVE-2026-44649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses