CVE-2026-44650 Overview
CVE-2026-44650 is a path traversal vulnerability in SillyTavern, a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech models. The POST /api/extensions/delete endpoint accepts an extensionName value of "." that bypasses the sanitize-filename validation. Supplying this value causes the application to recursively delete the entire user extensions directory. The default SillyTavern configuration does not require authentication, allowing any network-reachable attacker to trigger the deletion. The issue is fixed in version 1.18.0 and is tracked under [CWE-22].
Critical Impact
An unauthenticated attacker with network access can issue a single HTTP request to wipe a user's entire SillyTavern extensions directory.
Affected Products
- SillyTavern versions prior to 1.18.0
- SillyTavern instances running the default configuration without authentication
- Locally installed SillyTavern deployments reachable over a network
Discovery Timeline
- 2026-05-29 - CVE-2026-44650 published to the National Vulnerability Database
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-44650
Vulnerability Analysis
The vulnerability resides in the extension management API exposed by SillyTavern. The POST /api/extensions/delete route receives an extensionName parameter from the request body and uses it to locate and remove a directory within the user extensions folder. The endpoint relies on the sanitize-filename library to validate that the supplied name does not contain dangerous characters or path separators.
The single-character value "." passes this sanitization because it is technically a valid filename string. When the application joins this value with the base extensions directory path, the resulting path resolves to the parent directory itself. A subsequent recursive delete operation then removes the entire user extensions directory and its contents.
The impact is amplified because SillyTavern ships without authentication enabled by default. Any process or user able to reach the listening port can invoke the endpoint without credentials.
Root Cause
The root cause is incomplete input validation. The sanitize-filename check confirms that the value is a syntactically valid filename but does not reject reserved relative path tokens such as . and ... The application then trusts the sanitized value as a safe directory name during path construction and filesystem operations.
Attack Vector
An attacker sends a single HTTP POST request to /api/extensions/delete containing a JSON body with extensionName set to ".". No session, token, or user interaction is required in the default configuration. The server resolves the path, performs a recursive delete, and the user extensions directory is destroyed. Loss of these files results in integrity and availability impact on the SillyTavern installation.
The vulnerability is described in the SillyTavern GitHub Security Advisory.
Detection Methods for CVE-2026-44650
Indicators of Compromise
- HTTP POST requests to /api/extensions/delete where the request body contains extensionName equal to ".", "..", or other relative path tokens.
- Unexpected disappearance of subdirectories under the SillyTavern user extensions folder.
- Application logs showing extension deletion events that do not correspond to administrator activity.
Detection Strategies
- Inspect web server and reverse proxy logs for POST requests to /api/extensions/delete and correlate the source IP with expected administrative clients.
- Monitor filesystem audit events for recursive directory removals targeting the SillyTavern extensions path.
- Alert on any access to the /api/extensions/ route from non-localhost sources when the application is intended to run only on loopback.
Monitoring Recommendations
- Forward SillyTavern application and access logs to a centralized log platform for retention and querying.
- Establish a baseline of normal extension management activity and alert on deviations such as bulk deletions.
- Track network exposure of SillyTavern instances and flag listeners bound to non-loopback interfaces.
How to Mitigate CVE-2026-44650
Immediate Actions Required
- Upgrade SillyTavern to version 1.18.0 or later, which contains the fix for this vulnerability.
- Restrict network access to the SillyTavern listener to 127.0.0.1 until the upgrade is applied.
- Enable SillyTavern's basic or whitelist authentication features if the instance must remain reachable on a network.
- Back up the user extensions directory so that any successful deletion can be restored.
Patch Information
The SillyTavern maintainers fixed the issue in version 1.18.0. The patch hardens the validation of the extensionName parameter so that relative path tokens such as . and .. are rejected before any filesystem operation is performed. Refer to the SillyTavern GitHub Security Advisory GHSA-886q-f44j-h6wh for the official advisory.
Workarounds
- Bind the SillyTavern process to the loopback interface and require users to connect through an authenticated reverse proxy or SSH tunnel.
- Configure host-based firewall rules to block inbound access to the SillyTavern port from untrusted networks.
- Run SillyTavern under an account with limited filesystem permissions so the impact of an exploited delete is contained.
# Configuration example: restrict SillyTavern to loopback in config.yaml
listen: false
listenAddress:
ipv4: 127.0.0.1
ipv6: "::1"
basicAuthMode: true
basicAuthUser:
username: "admin"
password: "<set-a-strong-password>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
