CVE-2026-34524
Published: 02 April 2026
Summary
CVE-2026-34524 is a high-severity Path Traversal (CWE-22) vulnerability in Sillytavern Sillytavern. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of the avatar_url parameter in chat endpoints to block directory traversal sequences like '.. '.
Ensures timely patching of the path traversal flaw by upgrading SillyTavern to version 1.17.0 or later, eliminating the vulnerability.
Enables monitoring of system activity to detect anomalous file reads or deletions under the user data root triggered by exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in chat endpoints enables direct reading of credential files (e.g. secrets.json) and deletion of arbitrary files (e.g. settings.json) under the data root, facilitating credential access from files and file deletion.
NVD Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker…
more
to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0.
Deeper analysisAI
CVE-2026-34524 is a path traversal vulnerability (CWE-22) affecting SillyTavern, a locally installed user interface for interacting with text generation large language models, image generation engines, and text-to-speech voice models. The flaw exists in chat endpoints prior to version 1.17.0, where an attacker can supply a malicious avatar_url parameter such as ".." to traverse directories. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network without user interaction. By manipulating the avatar_url in chat requests, they can read sensitive files or delete arbitrary files under the user's data root directory, such as secrets.json and settings.json, potentially exposing credentials or disrupting user configurations.
The issue was addressed in SillyTavern version 1.17.0, as detailed in the project's release notes and GitHub security advisory GHSA-vprr-q85p-79mf. Security practitioners should upgrade to version 1.17.0 or later to mitigate the vulnerability.
Given SillyTavern's role in interfacing with AI/ML models like LLMs, this vulnerability highlights risks in local AI tooling where user data roots may store sensitive API keys or model configurations. No public reports of real-world exploitation were noted at publication on 2026-04-02.
Details
- CWE(s)