AI Threat Alert

CVE-2026-26286: sillytavern: SSRF allows internal network access

HIGH PoC AVAILABLE CISA: TRACK*
Published February 19, 2026
CISO Take

CVE-2026-26286 is a high-severity SSRF in SillyTavern (<1.16.0) that lets any authenticated user pivot from the LLM UI to internal network services, including cloud metadata endpoints (AWS IMDS, GCP metadata). If SillyTavern is deployed on a cloud VM or internal server—common in MLOps GPU setups—this becomes a credential-theft vector with lateral movement potential. Patch immediately to 1.16.0; if patching is not immediate, restrict access to trusted users only and block outbound HTTP from the SillyTavern process to 169.254.169.254 and RFC-1918 ranges.

What is the risk?

Risk is HIGH in cloud-hosted or network-accessible deployments, MEDIUM in purely local single-user setups. Attack complexity is low, privileges required are minimal (any authenticated session suffices), and there is no user interaction needed. The cloud metadata angle elevates severity beyond the CVSS 8.5 baseline: a successful SSRF against IMDS yields IAM credentials, enabling full cloud account compromise. Exposure is real—SillyTavern is actively deployed on cloud VMs for GPU-accelerated inference, particularly in research and hobbyist MLOps pipelines. EPSS not available, but the SSRF primitive is trivially exploitable once authenticated.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
sillytavern No patch

Do you use sillytavern? You're affected.

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I Low
A None

What should I do?

6 steps

  1. PATCH

    Upgrade to SillyTavern 1.16.0 immediately.

  2. WORKAROUND

    If patching is delayed, lock down the whitelistImportDomains array in config.yaml to explicitly permitted domains only.

  3. NETWORK CONTROLS

    Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy.

  4. CLOUD HARDENING

    Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions.

  5. ACCESS CONTROL

    Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer.

  6. DETECTION

    Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Social Engineering Framework RAG Agent AML.T0007 AML.T0036 AML.T0037 AML.T0040 AML.T0049 AML.T0055 AML.T0075 AML.T0085 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System
ISO 42001
A.6.2.6 - AI system security A.6.2.7 - AI System Supplier Relationships A.9.4 - Secure AI System Development
NIST AI RMF
GOVERN-6.1 - Policies and practices are in place for AI risk governance across the organization MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of AI systems over their lifecycle
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26286?

CVE-2026-26286 is a high-severity SSRF in SillyTavern (<1.16.0) that lets any authenticated user pivot from the LLM UI to internal network services, including cloud metadata endpoints (AWS IMDS, GCP metadata). If SillyTavern is deployed on a cloud VM or internal server—common in MLOps GPU setups—this becomes a credential-theft vector with lateral movement potential. Patch immediately to 1.16.0; if patching is not immediate, restrict access to trusted users only and block outbound HTTP from the SillyTavern process to 169.254.169.254 and RFC-1918 ranges.

Is CVE-2026-26286 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-26286, increasing the risk of exploitation.

How to fix CVE-2026-26286?

1. PATCH: Upgrade to SillyTavern 1.16.0 immediately. 2. WORKAROUND: If patching is delayed, lock down the `whitelistImportDomains` array in config.yaml to explicitly permitted domains only. 3. NETWORK CONTROLS: Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy. 4. CLOUD HARDENING: Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions. 5. ACCESS CONTROL: Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer. 6. DETECTION: Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

What systems are affected by CVE-2026-26286?

This vulnerability affects the following AI/ML architecture patterns: Local LLM inference setups (Ollama, LM Studio, llama.cpp), Cloud-hosted ML inference environments, RAG pipelines with SillyTavern as the UI layer, Agent frameworks using SillyTavern as front-end, MLOps environments with co-located model serving APIs, Private model registries on internal networks.

What is the CVSS score for CVE-2026-26286?

CVE-2026-26286 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

Local LLM inference setups (Ollama, LM Studio, llama.cpp)Cloud-hosted ML inference environmentsRAG pipelines with SillyTavern as the UI layerAgent frameworks using SillyTavern as front-endMLOps environments with co-located model serving APIsPrivate model registries on internal networks

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0036 Data from Information Repositories
AML.T0037 Data from Local System
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery
AML.T0085 Data from AI Services
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.6.2.6, A.6.2.7, A.9.4
NIST AI RMF: GOVERN-6.1, MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025, LLM07

What are the technical details?

Original Advisory

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.16.0, a Server-Side Request Forgery (SSRF) vulnerability in the asset download endpoint allows authenticated users to make arbitrary HTTP requests from the server and read the full response body, enabling access to internal services, cloud metadata, and private network resources. The vulnerability has been patched in the version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.

Exploitation Scenario

An attacker with any valid SillyTavern account (or access to a shared/public instance) crafts a malicious asset download request targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted VM. The server fetches the URL and returns the full response—including temporary IAM access key, secret, and session token. The attacker uses those credentials to enumerate S3 buckets (potentially containing training data, model weights, or proprietary datasets), pivot to other AWS services, or escalate privileges. In a multi-tenant or team deployment, any low-privileged user can execute this without any social engineering or additional exploitation steps.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
February 19, 2026
Last Modified
February 20, 2026
First Seen
February 19, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed