CVE-2026-26286 — HIGH (CVSS 8.5) AI Security Vulnerability

Q: Is CVE-2026-26286 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-26286, increasing the risk of exploitation.

Q: How to fix CVE-2026-26286?

1. PATCH: Upgrade to SillyTavern 1.16.0 immediately. 2. WORKAROUND: If patching is delayed, lock down the `whitelistImportDomains` array in config.yaml to explicitly permitted domains only. 3. NETWORK CONTROLS: Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy. 4. CLOUD HARDENING: Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions. 5. ACCESS CONTROL: Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer. 6. DETECTION: Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

Q: What systems are affected by CVE-2026-26286?

This vulnerability affects the following AI/ML architecture patterns: Local LLM inference setups (Ollama, LM Studio, llama.cpp), Cloud-hosted ML inference environments, RAG pipelines with SillyTavern as the UI layer, Agent frameworks using SillyTavern as front-end, MLOps environments with co-located model serving APIs, Private model registries on internal networks.

Q: What is the CVSS score for CVE-2026-26286?

CVE-2026-26286 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.02%.

CISO Take

CVE-2026-26286 is a high-severity SSRF in SillyTavern (<1.16.0) that lets any authenticated user pivot from the LLM UI to internal network services, including cloud metadata endpoints (AWS IMDS, GCP metadata). If SillyTavern is deployed on a cloud VM or internal server—common in MLOps GPU setups—this becomes a credential-theft vector with lateral movement potential. Patch immediately to 1.16.0; if patching is not immediate, restrict access to trusted users only and block outbound HTTP from the SillyTavern process to 169.254.169.254 and RFC-1918 ranges.

Risk Assessment

Risk is HIGH in cloud-hosted or network-accessible deployments, MEDIUM in purely local single-user setups. Attack complexity is low, privileges required are minimal (any authenticated session suffices), and there is no user interaction needed. The cloud metadata angle elevates severity beyond the CVSS 8.5 baseline: a successful SSRF against IMDS yields IAM credentials, enabling full cloud account compromise. Exposure is real—SillyTavern is actively deployed on cloud VMs for GPU-accelerated inference, particularly in research and hobbyist MLOps pipelines. EPSS not available, but the SSRF primitive is trivially exploitable once authenticated.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
sillytavern	—	—	No patch

Do you use sillytavern? You're affected.

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A None

Recommended Action

6 steps

PATCH

Upgrade to SillyTavern 1.16.0 immediately.
WORKAROUND

If patching is delayed, lock down the whitelistImportDomains array in config.yaml to explicitly permitted domains only.
NETWORK CONTROLS

Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy.
CLOUD HARDENING

Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions.
ACCESS CONTROL

Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer.
DETECTION

Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Social Engineering Framework RAG Agent AML.T0007 - Discover AI Artifacts AML.T0036 - Data from Information Repositories AML.T0037 - Data from Local System AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery AML.T0085 - Data from AI Services AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system security A.6.2.7 - AI System Supplier Relationships A.9.4 - Secure AI System Development

NIST AI RMF

GOVERN-6.1 - Policies and practices are in place for AI risk governance across the organization MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of AI systems over their lifecycle

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-26286?

CVE-2026-26286 is a high-severity SSRF in SillyTavern (<1.16.0) that lets any authenticated user pivot from the LLM UI to internal network services, including cloud metadata endpoints (AWS IMDS, GCP metadata). If SillyTavern is deployed on a cloud VM or internal server—common in MLOps GPU setups—this becomes a credential-theft vector with lateral movement potential. Patch immediately to 1.16.0; if patching is not immediate, restrict access to trusted users only and block outbound HTTP from the SillyTavern process to 169.254.169.254 and RFC-1918 ranges.

Is CVE-2026-26286 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-26286, increasing the risk of exploitation.

How to fix CVE-2026-26286?

1. PATCH: Upgrade to SillyTavern 1.16.0 immediately. 2. WORKAROUND: If patching is delayed, lock down the `whitelistImportDomains` array in config.yaml to explicitly permitted domains only. 3. NETWORK CONTROLS: Block outbound requests from the SillyTavern process/container to 169.254.169.254 (IMDS), fd00::/8 and 169.254.0.0/16 (link-local), and RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via host firewall or egress policy. 4. CLOUD HARDENING: Enable IMDSv2 with hop limit of 1 on AWS EC2 to prevent SSRF-based metadata access. On GCP/Azure apply equivalent metadata endpoint restrictions. 5. ACCESS CONTROL: Ensure SillyTavern is not exposed to untrusted users—apply network-level authentication (VPN, mTLS, SSH tunnel) before the application layer. 6. DETECTION: Alert on outbound requests from SillyTavern processes to internal IP ranges, IMDS endpoints, or unusual external domains. Review access logs for the asset download endpoint for anomalous destinations.

What systems are affected by CVE-2026-26286?

This vulnerability affects the following AI/ML architecture patterns: Local LLM inference setups (Ollama, LM Studio, llama.cpp), Cloud-hosted ML inference environments, RAG pipelines with SillyTavern as the UI layer, Agent frameworks using SillyTavern as front-end, MLOps environments with co-located model serving APIs, Private model registries on internal networks.

What is the CVSS score for CVE-2026-26286?

CVE-2026-26286 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.16.0, a Server-Side Request Forgery (SSRF) vulnerability in the asset download endpoint allows authenticated users to make arbitrary HTTP requests from the server and read the full response body, enabling access to internal services, cloud metadata, and private network resources. The vulnerability has been patched in the version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.

Exploitation Scenario

An attacker with any valid SillyTavern account (or access to a shared/public instance) crafts a malicious asset download request targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted VM. The server fetches the URL and returns the full response—including temporary IAM access key, secret, and session token. The attacker uses those credentials to enumerate S3 buckets (potentially containing training data, model weights, or proprietary datasets), pivot to other AWS services, or escalate privileges. In a multi-tenant or team deployment, any low-privileged user can execute this without any social engineering or additional exploitation steps.