Authentication Flaw in SillyTavern User Interface by SillyTavern
CVE-2026-44648

7.5HIGH

Key Information:

Vendor: Sillytavern
Status: Sillytavern
Vendor: CVE Published:; 29 May 2026

🔔 Create Sillytavern Vulnerability Alert

What is CVE-2026-44648?

SillyTavern, a locally installed user interface designed for interaction with various AI models, contains a vulnerability that impacts its authentication mechanism. Prior to version 1.18.0, the application relied on cookie-session for managing user sessions, leading to potential security implications. The endpoints responsible for password changes do not effectively expire existing sessions, allowing a user to retain access after a password update. Since the session data is stored solely in a signed cookie on the client-side without server-side controls, there is no means for the server to invalidate previously issued tokens. This flaw could enable session hijacking, posing significant risks to the affected users.

Affected Version(s)

SillyTavern < 1.18.0

References

https://github.com/SillyTavern/SillyTavern/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44648 Data

JSON