HIGH 7.5

CVE-2026-44648: SillyTavern Session Expiration Vulnerability – Account Takeover Risk

SillyTavern, a locally installed interface for interacting with large language models and related AI services, contains a session management vulnerability in versions prior to 1.18.0. When users change their password or complete account recovery, the application updates the password hash in its database but fails to invalidate existing user sessions. Because SillyTavern uses stateless, client-side cookie storage for authentication data, the server has no mechanism to revoke tokens after they're issued. An attacker who gains access to a user's session cookie—either through theft, interception, or social engineering—can continue using that session even after the legitimate user changes their password, maintaining unauthorized access to the account and its associated permissions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-613
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

SillyTavern relies on cookie-session middleware, storing session state (user handle, permissions) entirely within signed cookies rather than a server-side session store. The password change endpoints (POST /api/users/change-password) and account recovery endpoint (POST /api/users/recover-step2) update the password hash in the database but do not invoke any session expiration or invalidation logic. This architectural mismatch means authentication credentials rotate in the database while the stateless client cookie—which contains the original session proof—remains valid. An attacker with a captured cookie can continue making authenticated requests indefinitely, bypassing the password change as a security boundary. CWE-613 (Insufficient Session Expiration) accurately characterizes the root cause: the application fails to implement server-side session termination upon credential change.

Business impact

Organizations deploying SillyTavern for AI interactions face account takeover risk if session cookies are compromised. A threat actor obtaining a user's cookie through network sniffing, malware, or browser-based theft can impersonate that user without needing the updated password, accessing conversation history, model configurations, and any integrated services connected to that account. The impact escalates if SillyTavern is used in environments where multiple users share a system or where cookies persist across network boundaries. For enterprises piloting LLM interfaces, this represents a gap in credential lifecycle management that could undermine access control policies and audit trails.

Affected systems

SillyTavern versions prior to 1.18.0 are affected. The vulnerability exists in the authentication flow and session handling logic, affecting all deployment modes where the application receives network requests. Versions 1.18.0 and later include the fix and should be prioritized for rollout.

Exploitability

The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H; score 7.5, HIGH) reflects network accessibility but high attack complexity and user interaction requirements. An attacker must obtain a valid session cookie—typically through phishing, browser compromise, network interception on unencrypted connections, or local system access. Once a cookie is captured, exploitation is straightforward: the attacker simply replays authenticated requests using the stolen cookie. The 'High' complexity and 'Required' user interaction ratings account for the non-trivial effort required to acquire the cookie initially. The vulnerability is not trivially exploitable in bulk but poses significant risk in targeted scenarios where an attacker focuses on a specific user or small group.

Remediation

Upgrade SillyTavern to version 1.18.0 or later, which implements proper session expiration upon password change and account recovery. After patching, users should assume any sessions active prior to the update are potentially compromised and should be treated with suspicion; consider requesting users to log out and re-authenticate. If running an unpatched version and password changes have occurred, review access logs and session activity for anomalies. Implement additional controls such as HTTPS enforcement, secure cookie flags (HttpOnly, Secure, SameSite), and network-level monitoring to reduce cookie capture opportunities.

Patch guidance

Update to SillyTavern 1.18.0 as soon as feasible. The patch introduces server-side session expiration triggered by password change and recovery operations, closing the stateless-cookie window. Coordinate the update across all instances running SillyTavern in your environment. Verify compatibility with any custom integrations or extensions before deploying to production. No rollback concerns are anticipated; the fix is backward-compatible from a user perspective.

Detection guidance

Monitor for suspicious authentication patterns: authenticated requests continuing after a password change event, session cookies persisting across password resets, or multiple simultaneous active sessions for the same user without corresponding login events. If SillyTavern exposes access logs, correlate password-change events with subsequent API requests from different IP addresses or user agents. Network-level detection is challenging because the session appears legitimate to the server; focus on behavioral anomalies and user reports of unexplained account activity. Regular session audits and periodic forced re-authentication help limit the window of exposure.

Why prioritize this

This vulnerability warrants prompt but not emergency attention. It requires attack preconditions (cookie acquisition) that are not trivially met in most deployments, hence the HIGH rather than CRITICAL severity. However, the impact of exploitation—account takeover and sustained unauthorized access—is significant, and the fix is available and straightforward. Prioritize patching based on deployment scope: if SillyTavern is used in high-security environments or processes sensitive data, treat as high priority; if it is experimental or isolated, medium priority is acceptable pending routine update cycles. The lack of KEV status indicates no public active exploitation at publication, but assume this could change.

Risk score, explained

CVSS 7.5 reflects the combination of network-accessible endpoints, high impact (all three confidentiality, integrity, and availability flags set), but mitigated by attack complexity (acquiring a session cookie is non-trivial) and user interaction requirements (an attacker must trick a user into a scenario where cookies can be captured or stolen). The score does not account for local deployment posture; if SillyTavern is installed on an air-gapped or isolated system, real-world risk is lower. Conversely, if exposed to untrusted networks, the effective risk is higher because cookie interception becomes more plausible.

Frequently asked questions

If I change my password in SillyTavern before upgrading, am I safe from this attack?

No. Changing your password updates the database credential but does not invalidate your existing session cookies. Any cookies issued before the password change remain valid even after the change, because the session state is stored in the client cookie, not on the server. Upgrade to 1.18.0 to enable server-side session expiration upon password change.

Does enabling HTTPS prevent this vulnerability?

HTTPS protects cookies in transit from network eavesdropping, which reduces one attack vector (man-in-the-middle interception). However, HTTPS does not prevent attackers from acquiring cookies through browser compromise, malware, phishing, or local system access. It also does not address the root cause: lack of server-side session expiration. HTTPS is a necessary complementary control but does not eliminate the vulnerability.

What should I do if I suspect my session has been compromised?

Log out of SillyTavern immediately and change your password. However, note that changing your password alone does not revoke existing sessions in affected versions. Upgrade to 1.18.0 first, then change your password to invalidate old sessions. If you do not have access to the application to log out, an administrator can clear cookies or reset your account if the deployment supports it.

Is this vulnerability exploitable on a fully air-gapped, single-user deployment?

The attack requires an attacker to obtain a valid session cookie first. In a single-user, air-gapped environment with no untrusted access, the risk of cookie theft is minimal. However, the vulnerability still exists; if the system is ever connected to a network or accessed by an attacker with physical or remote access, the risk materializes. Patching remains the correct long-term action.

This analysis is based on the published CVE record and vendor advisory as of the dates listed. No exploit code has been published or tested by SEC.co. CVSS scores and severity ratings are provided for reference and should be contextualized within your organization's threat model and risk tolerance. Readers should verify all patch version numbers and availability directly with the SillyTavern project before deploying updates. This page does not constitute security advice; consult with your security team and the vendor for guidance specific to your deployment. All information is current as of the publication date; refer to vendor advisories for updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).