CVE-2026-26286
Published: 19 February 2026
Summary
CVE-2026-26286 is a high-severity SSRF (CWE-918) vulnerability in Sillytavern Sillytavern. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the asset download URL input to restrict requests to whitelisted domains, directly preventing SSRF exploitation as implemented in the patch.
Monitors and controls outbound communications at system boundaries, blocking server requests to internal services, cloud metadata, and private networks.
Mandates timely flaw remediation through software updates, directly addressing the SSRF vulnerability fixed in SillyTavern 1.16.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables server-initiated HTTP requests to internal/private resources (T1018/T1046 for discovery) and cloud metadata endpoints (T1522/T1552.005 for credential access).
NVD Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.16.0, a Server-Side Request Forgery (SSRF) vulnerability in the asset download…
more
endpoint allows authenticated users to make arbitrary HTTP requests from the server and read the full response body, enabling access to internal services, cloud metadata, and private network resources. The vulnerability has been patched in the version 1.16.0 by introducing a whitelist domain check for asset download requests. It can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file.
Deeper analysisAI
CVE-2026-26286 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting SillyTavern, a locally installed user interface for interacting with text generation large language models, image generation engines, and text-to-speech voice models. The issue resides in the asset download endpoint in versions prior to 1.16.0, where insufficient validation allows authenticated users to trigger arbitrary HTTP requests from the server and retrieve the full response body.
An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) through changed scope (S:C) and low integrity impact (I:L), as reflected in its CVSS v3.1 base score of 8.5. Attackers can leverage the SSRF to access internal services, cloud metadata endpoints, and private network resources by crafting malicious requests via the asset download functionality.
The vulnerability was addressed in SillyTavern version 1.16.0 through the addition of a whitelist domain check for asset download requests, which can be reviewed and customized by editing the `whitelistImportDomains` array in the `config.yaml` file. Details are available in the GitHub Security Advisory at https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-cccp-94vg-j92r.
Details
- CWE(s)