HIGH 8.5

CVE-2026-46372: SillyTavern Server-Side Request Forgery (SSRF) – Patch Now for v1.18.0

SillyTavern, a local application for interacting with AI language models and voice services, contains a server-side request forgery (SSRF) vulnerability in its search API endpoint. An authenticated user with low privileges can manipulate the baseUrl parameter to force the server to make requests to internal or loopback services, then view the responses. This allows attackers to probe or exfiltrate data from systems that should only be accessible internally. The flaw affects all versions before 1.18.0 and has been patched in that release.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46372 is a classic SSRF vulnerability (CWE-918) in SillyTavern's /api/search/searxng endpoint. The endpoint accepts an attacker-controlled baseUrl parameter without validation and uses it directly to construct outbound HTTP requests from the server context. An authenticated user can supply a baseUrl pointing to internal IP ranges (127.0.0.1, 192.168.x.x, etc.) or loopback interfaces, causing the SillyTavern server to fetch from those addresses and return the response body to the attacker. This bypasses network-level access controls that typically isolate internal services from external users. The vulnerability requires authentication (PR:L in CVSS), meaning an account with any privilege level can exploit it, but does not require user interaction or network access beyond what an authenticated session provides.

Business impact

This vulnerability primarily impacts organizations running self-hosted SillyTavern instances where internal network segmentation relies on network access controls rather than application-level authentication. An insider or compromised account holder can use the search API to discover and interact with internal services—such as metadata servers, admin dashboards, configuration endpoints, or databases—that were assumed to be isolated. In worst-case scenarios, attackers could extract sensitive configuration data, API keys, or credentials exposed by internal services. While direct code execution is not possible through this vector, the information disclosure and lateral movement potential could accelerate a multi-stage attack.

Affected systems

SillyTavern versions prior to 1.18.0 are affected. This includes both stable and pre-release builds deployed before the patch date of 2026-05-29. The vulnerability is present in locally installed instances; cloud-hosted or containerized deployments are at risk if the instance version is below 1.18.0. Organizations using air-gapped or restricted-network deployments may be slower to patch and should prioritize verification of their current version.

Exploitability

Exploitability is straightforward for an authenticated user. No special tools or code are required—standard HTTP clients can craft requests to /api/search/searxng with a malicious baseUrl. The CVSS score of 8.5 (HIGH) reflects the low attack complexity, the wide scope of potential internal targets, and the fact that any authenticated user can launch the attack. However, the requirement for prior authentication (PR:L) prevents unauthenticated remote exploitation. Organizations with weak credential hygiene or exposed SillyTavern instances on public networks face elevated risk.

Remediation

Upgrade SillyTavern to version 1.18.0 or later. This release includes input validation for the baseUrl parameter and restricts searches to allowlisted or validated URLs. After patching, verify the upgrade by checking the application version in the settings or console output. No configuration changes or manual workarounds are documented as substitutes for the upgrade. Organizations unable to patch immediately should restrict network access to the SillyTavern application itself, limiting who can reach it and therefore who can exploit the SSRF.

Patch guidance

Download and install SillyTavern 1.18.0 from the official repository. If running in a container or package manager, use the standard update mechanism (docker pull, npm update, etc.). Stop the running instance, apply the patch, and restart. Verify the application version post-upgrade. No rollback concerns or breaking changes have been reported. Test in a non-production environment first if the instance is mission-critical.

Detection guidance

Monitor logs for unusual patterns in /api/search/searxng requests, particularly those with baseUrl parameters containing private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) or known internal hostnames. Examine HTTP response headers and bodies for signs of internal service responses (e.g., 'Content-Type: application/json' with metadata server signatures). Network-level detection can flag outbound traffic from the SillyTavern process to internal subnets if such traffic is unusual. Correlate authentication logs with timing of suspicious API calls to identify potentially compromised accounts.

Why prioritize this

Although this vulnerability requires prior authentication, the ease of exploitation, high score (8.5), and potential for lateral movement and data theft make it a priority. SillyTavern is often deployed in environments where users have trusted access, but insider threats and account compromise are realistic scenarios. The patch is available and straightforward to apply, reducing friction for remediation. Organizations should upgrade promptly, particularly if the instance is exposed to a large or untrusted user base.

Risk score, explained

The CVSS 3.1 score of 8.5 (HIGH) is driven by: a Network Attack Vector (AV:N) allowing remote exploitation; Low Attack Complexity (AC:L) requiring no special setup; a Low-privilege Requirement (PR:L) meaning any authenticated user can exploit it; no User Interaction (UI:N); Changed Scope (S:C) because internal systems become accessible from the application context; and High Confidentiality impact (C:H) due to information disclosure. Integrity is marked as Low (I:L) because direct data modification is unlikely, though indirect impacts (e.g., using disclosed credentials) are possible. Availability is Not affected (A:N). The score reflects realistic insider and account-compromise threats in self-hosted deployments.

Frequently asked questions

Can this vulnerability be exploited by unauthenticated users?

No. The vulnerability requires authentication (PR:L). An attacker must first obtain valid credentials to access the SillyTavern instance. However, organizations with weak access controls or publicly exposed instances should assume credential compromise is possible.

What internal services are most at risk if this is exploited?

Any HTTP-based internal service is potentially vulnerable: metadata servers (AWS IMDSv1, GCP metadata), admin dashboards, internal APIs, configuration servers, or databases with HTTP interfaces. Services that rely on network-only isolation or those that trust local requests are especially at risk.

Does the patch address any other security issues?

The CVE description indicates the patch specifically addresses input validation for the baseUrl parameter in the search API. You should review the full release notes for version 1.18.0 to identify any other security improvements or bug fixes.

Can we mitigate this without upgrading?

Complete remediation requires upgrading to 1.18.0. Temporary mitigations include restricting network access to the SillyTavern application to trusted networks only, limiting the number of authenticated users with access, and monitoring for suspicious API patterns. These are stop-gap measures only; patching is essential.

This analysis is provided for informational purposes and reflects the vulnerability details as published. Always verify vendor advisories, patch availability, and compatibility before deploying updates in production environments. SEC.co does not provide warranty or guarantee regarding the completeness or timeliness of this analysis. Organizations are responsible for assessing their own risk and determining appropriate remediation timelines based on their threat model and environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).