Description
SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user’s needs.
Documentation: https://docs.sillytavern.app/administration/sso/
Recommendation
Update the sillytavern package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.17.0
- Patched version(s): 1.18.0
References
- GHSA-gxx6-h3g6-vwjh
- CVE-2026-44649
- CWE-290
- CWE-306
- CWE-346
- CWE-807
- CAPEC-310
- OWASP 2021-A4
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- FUXA has JWT Authentication Bypass via HTTP Referer header spoofing - CVE-2025-69985
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
- LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
- Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
You might also like:
- Tags:
- npm
- sillytavern
Anything's wrong? Let us know Last updated on May 12, 2026