SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

Severity:: High

Description

Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password.

Recommendation

Update the sillytavern package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.17.0
Patched version(s): 1.18.0

References

GHSA-wmm3-h9qj-p5v6
CVE-2026-44648
CWE-613
CAPEC-310
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; sillytavern

Anything's wrong? Let us know Last updated on May 14, 2026