Description
SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user’s needs.
Documentation: https://docs.sillytavern.app/administration/sso/
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
- GHSA-gxx6-h3g6-vwjh
- CVE-2026-44649
- CWE-290
- CWE-306
- CWE-346
- CWE-807
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - CVE-2026-40175
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 12, 2026


