CVE-2026-34524 Overview
CVE-2026-34524 is a path traversal vulnerability affecting SillyTavern, a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, the chat endpoints contain a path traversal flaw that allows an authenticated attacker to read and delete arbitrary files under the user data root directory by supplying a malicious avatar_url parameter with a value of "..". This vulnerability could lead to unauthorized access to sensitive configuration files such as secrets.json and settings.json.
Critical Impact
Authenticated attackers can exploit this path traversal vulnerability to read sensitive configuration files containing secrets and credentials, as well as delete arbitrary files within the user data directory, potentially compromising the entire SillyTavern installation.
Affected Products
- SillyTavern versions prior to 1.17.0
Discovery Timeline
- 2026-04-02 - CVE-2026-34524 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34524
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in SillyTavern's chat endpoints, which fail to properly sanitize user-supplied input in the avatar_url parameter.
When an authenticated user provides specially crafted input containing directory traversal sequences (such as ".."), the application does not adequately validate or normalize the path before accessing file system resources. This allows attackers to escape the intended directory boundary and access files outside the designated avatar storage location.
The vulnerability requires authentication to exploit, meaning only users with valid credentials can leverage this flaw. However, once authenticated, an attacker can traverse to the user data root directory and access sensitive files including secrets.json (which may contain API keys and authentication tokens) and settings.json (which contains application configuration).
Root Cause
The root cause of this vulnerability is insufficient input validation on the avatar_url parameter within the chat endpoints. The application fails to properly sanitize or canonicalize file paths before performing file operations, allowing directory traversal sequences to be processed. This lack of path normalization enables attackers to break out of the intended directory structure and access arbitrary files within the user data root.
Attack Vector
The attack is network-accessible and requires low privilege (authenticated user). An attacker must first authenticate to the SillyTavern application, then craft a malicious request to a chat endpoint with the avatar_url parameter set to a path traversal payload such as "..". This payload allows the attacker to navigate up the directory tree and access files outside the intended avatar directory.
The exploitation does not require user interaction beyond the initial authentication. Once exploited, the attacker can read sensitive configuration files containing secrets and credentials, or delete files to disrupt the application's functionality.
Detection Methods for CVE-2026-34524
Indicators of Compromise
- Unusual HTTP requests to chat endpoints containing .. or encoded traversal sequences (%2e%2e, %252e%252e) in the avatar_url parameter
- Access logs showing requests attempting to access files outside the avatar directory such as secrets.json or settings.json
- Unexpected file deletions within the SillyTavern user data directory
- Missing or modified configuration files without administrative action
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor application logs for requests containing directory traversal sequences in the avatar_url parameter
- Deploy file integrity monitoring on critical configuration files like secrets.json and settings.json
- Use intrusion detection systems (IDS) to alert on suspicious file access patterns within the SillyTavern data directory
Monitoring Recommendations
- Enable verbose logging for all chat endpoint requests and monitor for anomalous path patterns
- Set up alerts for any access attempts to configuration files from unexpected code paths
- Implement real-time monitoring of the user data root directory for unauthorized read or delete operations
- Review authentication logs for unusual patterns that may indicate compromised credentials being used for exploitation
How to Mitigate CVE-2026-34524
Immediate Actions Required
- Upgrade SillyTavern to version 1.17.0 or later immediately
- Review access logs for any signs of exploitation attempts prior to patching
- Rotate any API keys or secrets stored in secrets.json if exploitation is suspected
- Restrict network access to the SillyTavern instance to trusted users only until patching is complete
Patch Information
This vulnerability has been patched in SillyTavern version 1.17.0. Users should upgrade to this version or later to remediate the vulnerability. The patch implements proper path validation and sanitization for the avatar_url parameter in chat endpoints.
For detailed information about the patch, see the GitHub Release 1.17.0 and the GitHub Security Advisory GHSA-vprr-q85p-79mf.
Workarounds
- Restrict access to the SillyTavern application to trusted users only via network-level controls
- Implement a reverse proxy with WAF capabilities to filter requests containing path traversal sequences
- Monitor and limit file system permissions for the SillyTavern process to minimize potential damage
- Back up critical configuration files regularly and store them securely outside the application's data directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
