CVE-2026-26286

HIGH

Published February 19, 2026

CISO Take

CVE-2026-26286 is a high-severity SSRF in SillyTavern (<1.16.0) that lets any authenticated user pivot from the LLM UI to internal network services, including cloud metadata endpoints (AWS IMDS, GCP metadata). If SillyTavern is deployed on a cloud VM or internal server—common in MLOps GPU setups—this becomes a credential-theft vector with lateral movement potential. Patch immediately to 1.16.0; if patching is not immediate, restrict access to trusted users only and block outbound HTTP from the SillyTavern process to 169.254.169.254 and RFC-1918 ranges.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
sillytavern	—	—	No patch

Do you use sillytavern? You're affected.

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade to SillyTavern 1.16.0 immediately. 2. WORKAROUND: If patching is delayed, lock down the `whitelistImportDomains` array in config.yaml to explicitly permitted domains only. 3. NETWORK CONTROLS: Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy. 4. CLOUD HARDENING: Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions. 5. ACCESS CONTROL: Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer. 6. DETECTION: Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

Classification

Data Extraction Code Execution Social Engineering Framework RAG Agent AML.T0007 - Discover AI Artifacts AML.T0036 - Data from Information Repositories AML.T0037 - Data from Local System AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery AML.T0085 - Data from AI Services AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system security A.6.2.7 - AI System Supplier Relationships A.9.4 - Secure AI System Development

NIST AI RMF

GOVERN-6.1 - Policies and practices are in place for AI risk governance across the organization MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of AI systems over their lifecycle

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Technical Details

NVD Description

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.16.0, a Server-Side Request Forgery (SSRF) vulnerability in the asset download endpoint allows authenticated users to make arbitrary HTTP requests from the server and read the full response body, enabling access to internal services, cloud metadata, and private network resources. The vulnerability has been patched in the version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.

Exploitation Scenario

An attacker with any valid SillyTavern account (or access to a shared/public instance) crafts a malicious asset download request targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted VM. The server fetches the URL and returns the full response—including temporary IAM access key, secret, and session token. The attacker uses those credentials to enumerate S3 buckets (potentially containing training data, model weights, or proprietary datasets), pivot to other AWS services, or escalate privileges. In a multi-tenant or team deployment, any low-privileged user can execute this without any social engineering or additional exploitation steps.

Weaknesses (CWE)

CWE-918 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

github.com/SillyTavern/SillyTavern/security/advisories/GHSA-cccp-94vg-j92r
Exploit Vendor

Timeline

Published

February 19, 2026

Last Modified

February 20, 2026

First Seen

February 19, 2026

Back to Threat Feed