CVE-2026-34522 Overview
A path traversal vulnerability has been identified in SillyTavern, a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, the /api/chats/import endpoint is vulnerable to path traversal attacks that allow authenticated attackers to write attacker-controlled files outside the intended chats directory by injecting traversal sequences into the character_name parameter.
Critical Impact
Authenticated attackers can exploit this vulnerability to write arbitrary files to the file system, potentially leading to remote code execution, configuration tampering, or complete system compromise.
Affected Products
- SillyTavern versions prior to 1.17.0
Discovery Timeline
- 2026-04-02 - CVE-2026-34522 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34522
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the chat import functionality of SillyTavern. The application fails to properly sanitize the character_name parameter when processing chat import requests through the /api/chats/import API endpoint. This lack of input validation allows attackers to inject directory traversal sequences such as ../ into the parameter value, enabling them to escape the intended chats directory and write files to arbitrary locations on the file system.
The vulnerability requires authentication to exploit, meaning an attacker must have valid credentials or session access to the SillyTavern instance. However, once authenticated, the attacker gains significant control over file write operations, which can lead to severe consequences including overwriting critical application files, planting malicious scripts, or manipulating configuration files.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization of the character_name parameter in the /api/chats/import endpoint. The application constructs file paths using user-supplied input without properly neutralizing special path elements, allowing traversal sequences to redirect file writes to unintended directories.
Attack Vector
The attack is conducted over the network and requires low-privilege authentication. An attacker crafts a malicious chat import request containing path traversal sequences (e.g., ../../) in the character_name field. When processed by the vulnerable endpoint, the application writes the attacker-controlled file content to a location outside the designated chats directory structure.
The exploitation flow involves:
- Authenticating to the SillyTavern instance
- Sending a crafted POST request to /api/chats/import
- Including traversal sequences in the character_name parameter to target an arbitrary file path
- The server writes the uploaded content to the attacker-specified location
For detailed technical information, refer to the GitHub Security Advisory GHSA-xvww-xhx6-22pf.
Detection Methods for CVE-2026-34522
Indicators of Compromise
- Unusual file creation or modification events outside the SillyTavern chats directory
- HTTP requests to /api/chats/import containing path traversal patterns such as ../ or encoded variants like %2e%2e%2f
- Unexpected files appearing in application directories, configuration folders, or system paths
- Authentication logs showing repeated access to the chat import API followed by suspicious file system activity
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences targeting the /api/chats/import endpoint
- Enable verbose logging for all file write operations within the SillyTavern application
- Deploy endpoint detection and response (EDR) solutions to monitor for anomalous file creation events originating from the SillyTavern process
- Utilize intrusion detection systems (IDS) to identify HTTP requests with traversal patterns in POST body parameters
Monitoring Recommendations
- Monitor web server access logs for requests to /api/chats/import with suspicious character_name values
- Set up file integrity monitoring (FIM) on critical directories to detect unauthorized file modifications
- Review authentication logs for unusual access patterns to the chat import functionality
- Configure alerts for any file write operations occurring outside the expected chats directory path
How to Mitigate CVE-2026-34522
Immediate Actions Required
- Upgrade SillyTavern to version 1.17.0 or later immediately
- Review file system for any unauthorized files that may have been written through exploitation
- Audit authentication logs to identify any suspicious activity related to the chat import endpoint
- Restrict network access to SillyTavern instances to trusted users only until patching is complete
Patch Information
The vulnerability has been addressed in SillyTavern version 1.17.0. The fix implements proper input validation and path sanitization for the character_name parameter in the chat import functionality. Users should upgrade to this version or later to remediate the vulnerability.
For more information, see the SillyTavern Release 1.17.0.
Workarounds
- Disable or restrict access to the /api/chats/import endpoint if the chat import feature is not required
- Implement network-level access controls to limit who can reach the SillyTavern instance
- Deploy a reverse proxy with request filtering to block requests containing path traversal patterns
- Run SillyTavern with minimal file system permissions to limit the impact of potential exploitation
# Example: Restricting access to SillyTavern using iptables
# Allow only trusted IP addresses to access the SillyTavern port
iptables -A INPUT -p tcp --dport 8000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
