CVE-2026-44649 Overview
CVE-2026-44649 is an authentication bypass vulnerability in SillyTavern, a locally installed user interface for interacting with text generation large language models, image generation engines, and text-to-speech voice models. Versions prior to 1.18.0 trust the Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers for automatic Single Sign-On (SSO) login without validating that requests originate from a trusted reverse proxy. Any network client able to reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. The flaw is classified under [CWE-290: Authentication Bypass by Spoofing].
Critical Impact
Unauthenticated remote attackers can impersonate any account, including administrators, by injecting forged SSO headers when sso.autheliaAuth or sso.authentikAuth is enabled.
Affected Products
- SillyTavern versions prior to 1.18.0
- Deployments with sso.autheliaAuth: true in config.yaml
- Deployments with sso.authentikAuth: true in config.yaml
Discovery Timeline
- 2026-05-29 - CVE-2026-44649 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-44649
Vulnerability Analysis
SillyTavern supports SSO integration with Authelia and Authentik reverse proxies. In these configurations, the upstream proxy authenticates the user and forwards the verified identity to the backend application through HTTP headers. SillyTavern reads Remote-User for Authelia and X-Authentik-Username for Authentik to identify the logged-in user.
The vulnerability stems from SillyTavern accepting these identity headers from any source. The application does not verify the source IP of the request, does not require a shared secret, and does not enforce mutual TLS with the proxy. Any attacker who can reach the listening port can attach a header naming an existing account and receive an authenticated session for that user.
Exploitation grants the attacker administrator-level control over the SillyTavern instance, including access to conversations, configured API keys for backend LLM providers, and the ability to modify server configuration. The vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml. Both options default to false.
Root Cause
The root cause is missing validation of the trust boundary between the reverse proxy and the application. SillyTavern treats inbound HTTP headers as authoritative identity assertions without confirming that those headers were set by a trusted upstream component.
Attack Vector
The attacker sends a direct HTTP request to the SillyTavern listening port, bypassing the reverse proxy entirely. The request includes a forged Remote-User or X-Authentik-Username header containing a target username. SillyTavern accepts the assertion and issues a session for that user. No prior credentials, tokens, or user interaction are required. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-44649
Indicators of Compromise
- Inbound HTTP requests to the SillyTavern port containing Remote-User or X-Authentik-Username headers from source addresses other than the configured reverse proxy.
- Authenticated sessions for administrator accounts originating from unexpected client IP ranges.
- Unexpected modifications to config.yaml or new API key entries appearing in user profiles.
Detection Strategies
- Inspect reverse proxy and application access logs for requests that bypass the proxy and arrive directly at the SillyTavern host.
- Correlate authentication events with source IP to identify logins that did not transit the SSO provider.
- Alert on any request to the SillyTavern port carrying SSO identity headers when the source is outside the trusted proxy subnet.
Monitoring Recommendations
- Enable verbose authentication logging on SillyTavern and forward logs to a centralized SIEM for correlation.
- Monitor host-level network connections to the SillyTavern listening port and alert on connections that do not originate from the reverse proxy.
- Track administrator session creation events and review privileged actions taken during recent sessions.
How to Mitigate CVE-2026-44649
Immediate Actions Required
- Upgrade SillyTavern to version 1.18.0 or later, which contains the fix.
- If immediate upgrade is not possible, set sso.autheliaAuth: false and sso.authentikAuth: false in config.yaml.
- Restrict network exposure of the SillyTavern port so that only the trusted reverse proxy can reach it.
- Rotate API keys and credentials stored within SillyTavern if unauthorized access is suspected.
Patch Information
The vulnerability is fixed in SillyTavern 1.18.0. Refer to the GitHub Security Advisory GHSA-gxx6-h3g6-vwjh for release details and upgrade guidance.
Workarounds
- Bind SillyTavern to 127.0.0.1 or an internal interface reachable only by the reverse proxy.
- Enforce host firewall rules that drop traffic to the SillyTavern port from any source other than the Authelia or Authentik proxy.
- Configure the reverse proxy to strip incoming Remote-User and X-Authentik-Username headers from client requests before forwarding.
# Configuration example: disable header-based SSO until patched
# config.yaml
sso:
autheliaAuth: false
authentikAuth: false
# iptables: allow only the reverse proxy to reach SillyTavern (port 8000)
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
