CVE-2026-44652 Overview
CVE-2026-44652 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in SillyTavern, a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech voice models. The flaw resides in corsProxyMiddleware, which forwards the req.params.url parameter directly into a fetch(url, ...) call. The middleware only blocks circular requests to its own host and does not enforce a destination allowlist or restrict private and loopback addresses. Attackers can abuse the proxy to reach internal services accessible to the SillyTavern host. The vulnerability affects all versions prior to 1.18.0 and is fixed in 1.18.0.
Critical Impact
An unauthenticated attacker can coerce the SillyTavern instance to issue arbitrary outbound HTTP requests, including to private networks, loopback interfaces, and cloud metadata endpoints.
Affected Products
- SillyTavern versions prior to 1.18.0
Discovery Timeline
- 2026-05-29 - CVE-2026-44652 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-44652
Vulnerability Analysis
The vulnerability resides in the corsProxyMiddleware component of SillyTavern. The middleware is designed to relay HTTP requests on behalf of the front-end to bypass browser Cross-Origin Resource Sharing (CORS) restrictions. The implementation reads the target URL from req.params.url and passes it unfiltered into a Node.js fetch(url, ...) call. The only protection present is a check that blocks circular requests to the proxy's own host. No allowlist of permitted destinations exists, and there is no validation against private IP ranges, loopback addresses, link-local ranges, or cloud instance metadata endpoints. This is a textbook Server-Side Request Forgery condition tracked under [CWE-918].
Root Cause
The root cause is missing destination validation in corsProxyMiddleware. The proxy treats the user-supplied url parameter as a trusted input and delegates outbound requests to fetch without resolving and checking the target host against a deny or allow policy. DNS rebinding and IP literal bypasses remain possible because no post-resolution check exists.
Attack Vector
An attacker who can reach the SillyTavern HTTP interface sends a request to the CORS proxy endpoint with a crafted url parameter pointing at an internal resource. Possible targets include http://127.0.0.1 services, http://169.254.169.254 cloud metadata services, internal admin panels, and other LAN-reachable HTTP endpoints. The server returns the response body to the attacker, enabling reconnaissance and data exfiltration from non-routable networks. Refer to the GitHub Security Advisory GHSA-ccfq-2454-f5xw for technical details.
No verified public proof-of-concept code is available. The exploitation pattern follows a standard SSRF request through the vulnerable corsProxyMiddleware endpoint with an attacker-controlled URL parameter.
Detection Methods for CVE-2026-44652
Indicators of Compromise
- Outbound HTTP requests from the SillyTavern process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), 127.0.0.0/8, or 169.254.0.0/16.
- Proxy request logs containing url parameters with IP literals, encoded hostnames, or non-public domains.
- Unexpected connections from the SillyTavern host to cloud metadata endpoints such as 169.254.169.254.
Detection Strategies
- Inspect SillyTavern HTTP access logs for requests targeting the CORS proxy route with suspicious url values.
- Correlate process-level network telemetry from the SillyTavern Node.js process against expected outbound destinations.
- Alert on DNS resolutions made by the SillyTavern host that return private or loopback addresses.
Monitoring Recommendations
- Forward web server and reverse proxy logs to a centralized logging platform and create rules for anomalous proxy usage.
- Monitor egress traffic from systems running SillyTavern with network firewall logs and flow data.
- Track running SillyTavern versions across the environment and alert on instances below 1.18.0.
How to Mitigate CVE-2026-44652
Immediate Actions Required
- Upgrade SillyTavern to version 1.18.0 or later on all installations.
- Restrict network access to SillyTavern instances so they are not exposed to untrusted networks or the public internet.
- Apply host-based egress filtering to block the SillyTavern process from reaching internal management interfaces and cloud metadata endpoints.
Patch Information
The vulnerability is fixed in SillyTavern 1.18.0. The patch enforces destination restrictions in corsProxyMiddleware. Review the GitHub Security Advisory GHSA-ccfq-2454-f5xw for upgrade guidance.
Workarounds
- Disable the CORS proxy feature in the SillyTavern configuration if upgrading is not immediately possible.
- Place SillyTavern behind a reverse proxy that strips or validates the url parameter on the proxy route.
- Run SillyTavern in a network namespace or container with egress restricted to required external API hosts only.
# Configuration example: restrict egress with iptables on the SillyTavern host
iptables -A OUTPUT -m owner --uid-owner sillytavern -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner sillytavern -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner sillytavern -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner sillytavern -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner sillytavern -d 169.254.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
