Authelia · Authelia · CVE-2026-44649
**Name of the Vulnerable Software and Affected Versions**
SillyTavern versions prior to 1.18.0
**Description**
An authentication bypass and account takeover issue exists when Authelia or Authentik SSO is enabled. The software accepts `Remote-User` (for Authelia) and `X-Authentik-Username` (for Authentik) HTTP headers to automatically log in users without validating that these headers originate from a trusted reverse proxy. Consequently, any network client capable of reaching the SillyTavern port directly can inject these headers to authenticate as any user, including administrators, without a password. This occurs within the `headerUserLogin()` function called during requests to the '/login' endpoint. Additionally, the '/api/users/list' endpoint is publicly accessible, allowing attackers to enumerate user handles to facilitate the attack. Over 29,200 potentially affected instances were identified via FOFA in the past year.
**Recommendations**
Update to version 1.18.0 or later, which introduces a configuration option to limit SSO header authorization to specific IP addresses, defaulting to loopback addresses.
As a temporary workaround, set `sso.autheliaAuth` and `sso.authentikAuth` to `false` in the `config.yaml` file if SSO is not required.