Cyber Resilience

CVE-2026-34524

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0057 42.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34524 is a high-severity Path Traversal (CWE-22) vulnerability in Sillytavern Sillytavern. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34524 is a path traversal vulnerability (CWE-22) affecting SillyTavern, a locally installed user interface for interacting with text generation large language models, image generation engines, and text-to-speech voice models. The flaw exists in chat endpoints prior to version 1.17.0, where an attacker can supply a malicious avatar_url parameter such as ".." to traverse directories. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network without user interaction. By manipulating the avatar_url in chat requests, they can read sensitive files or delete arbitrary files under the user's data root directory, such as secrets.json and settings.json, potentially exposing credentials or disrupting user configurations.

The issue was addressed in SillyTavern version 1.17.0, as detailed in the project's release notes and GitHub security advisory GHSA-vprr-q85p-79mf. Security practitioners should upgrade to version 1.17.0 or later to mitigate the vulnerability.

Given SillyTavern's role in interfacing with AI/ML models like LLMs, this vulnerability highlights risks in local AI tooling where user data roots may store sensitive API keys or model configurations. No public reports of real-world exploitation were noted at publication on 2026-04-02.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker…

more

to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in chat endpoints enables direct reading of credential files (e.g. secrets.json) and deletion of arbitrary files (e.g. settings.json) under the data root, facilitating credential access from files and file deletion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34522Same product: Sillytavern Sillytavern
CVE-2026-26286Same product: Sillytavern Sillytavern
CVE-2025-24960Shared CWE-22
CVE-2026-32808Shared CWE-22
CVE-2025-14520Shared CWE-22
CVE-2026-7807Shared CWE-22
CVE-2020-36909Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-7643Shared CWE-22
CVE-2020-37015Shared CWE-22

Affected Assets

sillytavern
sillytavern
≤ 1.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of the avatar_url parameter in chat endpoints to block directory traversal sequences like '.. '.

prevent

Ensures timely patching of the path traversal flaw by upgrading SillyTavern to version 1.17.0 or later, eliminating the vulnerability.

detect

Enables monitoring of system activity to detect anomalous file reads or deletions under the user data root triggered by exploitation attempts.

References