CVE-2026-46372 Overview
CVE-2026-46372 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in SillyTavern, a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech voice models. The flaw resides in the /api/search/searxng endpoint, which accepts an attacker-controlled baseUrl parameter and uses it directly to construct outbound server-side HTTP requests. An authenticated low-privilege user can redirect these requests to internal or loopback services and read the response body. The vulnerability affects all versions prior to 1.18.0 and is fixed in release 1.18.0.
Critical Impact
Authenticated low-privilege users can reach internal HTTP services, loopback endpoints, and cloud metadata APIs, retrieving sensitive response data from the SillyTavern host network.
Affected Products
- SillyTavern versions prior to 1.18.0
- SillyTavern /api/search/searxng endpoint
- Deployments exposing SillyTavern to multiple authenticated users
Discovery Timeline
- 2026-05-29 - CVE CVE-2026-46372 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-46372
Vulnerability Analysis
The vulnerability stems from improper validation of a user-supplied URL parameter on the /api/search/searxng route. The endpoint accepts a baseUrl value from the request and passes it directly into a server-side HTTP client without restricting the scheme, host, or destination network. Because the fetch executes from the SillyTavern process, requests originate from the trusted server context rather than the client browser.
An authenticated low-privilege user can submit any URL as baseUrl, including http://127.0.0.1, http://localhost, RFC1918 addresses, or cloud instance metadata endpoints. SillyTavern then returns the response body of /search from that target to the caller. This grants attackers visibility into services bound to the loopback interface or otherwise unreachable from outside the host.
The issue is classified under CWE-918 (Server-Side Request Forgery). The EPSS score is 2.887% with a percentile of 86.576, indicating elevated relative exploitation likelihood.
Root Cause
The root cause is missing allowlist validation on the baseUrl parameter. SillyTavern treats the value as a trusted upstream SearXNG instance and concatenates it into an outbound fetch URL. No filtering rejects loopback addresses, private IP ranges, link-local ranges, or non-HTTP schemes.
Attack Vector
Exploitation requires only an authenticated low-privilege account and network access to the SillyTavern instance. The attacker issues a request to /api/search/searxng with baseUrl set to an internal target. SillyTavern performs the fetch and returns the response body, enabling reconnaissance of internal services, retrieval of metadata credentials on cloud-hosted deployments, and probing of administrative interfaces on the loopback adapter.
No verified proof-of-concept code is published in the advisory. See the GitHub Security Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-46372
Indicators of Compromise
- Outbound HTTP requests from the SillyTavern process to 127.0.0.1, localhost, or RFC1918 addresses originating from /api/search/searxng handlers
- Requests to /api/search/searxng with baseUrl parameters pointing to internal hosts, metadata services such as 169.254.169.254, or non-search endpoints
- Unexpected access patterns in internal service logs sourced from the SillyTavern host IP
Detection Strategies
- Inspect SillyTavern access logs for /api/search/searxng calls and decode the baseUrl query parameter to identify suspicious targets
- Deploy egress filtering and log denied outbound connections from the SillyTavern host to internal ranges
- Correlate authenticated user sessions with outbound DNS lookups for internal hostnames
Monitoring Recommendations
- Alert on any outbound request from SillyTavern to loopback, link-local, or private network ranges
- Monitor authentication logs for newly created low-privilege accounts followed by activity against /api/search/
- Track response size anomalies on /api/search/searxng responses, which may indicate data exfiltration from internal services
How to Mitigate CVE-2026-46372
Immediate Actions Required
- Upgrade SillyTavern to version 1.18.0 or later, which removes attacker control over the baseUrl parameter
- Restrict SillyTavern access to trusted users only and rotate credentials for any shared deployments
- Place SillyTavern behind network egress controls that block requests to internal and metadata ranges
Patch Information
The vendor fixed this vulnerability in SillyTavern 1.18.0. Refer to the SillyTavern GitHub Security Advisory GHSA-qg89-qwwh-5f3j for release details and upgrade instructions.
Workarounds
- Disable or block the /api/search/searxng endpoint at a reverse proxy until the upgrade is applied
- Run SillyTavern in a network namespace or container with egress restricted to required external SearXNG instances only
- Limit account creation and require strong authentication to reduce the pool of users able to invoke the vulnerable endpoint
# Example reverse proxy block for the vulnerable endpoint (nginx)
location /api/search/searxng {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
