PT-2026-40545 · Authelia+2 · Authelia+2
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SillyTavern versions prior to 1.18.0
Description
An authentication bypass and account takeover issue exists when Authelia or Authentik SSO is enabled. The software accepts
Remote-User (for Authelia) and X-Authentik-Username (for Authentik) HTTP headers to automatically log in users without validating that these headers originate from a trusted reverse proxy. Consequently, any network client capable of reaching the SillyTavern port directly can inject these headers to authenticate as any user, including administrators, without a password. This occurs within the headerUserLogin() function called during requests to the '/login' endpoint. Additionally, the '/api/users/list' endpoint is publicly accessible, allowing attackers to enumerate user handles to facilitate the attack. Over 29,200 potentially affected instances were identified via FOFA in the past year.Recommendations
Update to version 1.18.0 or later, which introduces a configuration option to limit SSO header authorization to specific IP addresses, defaulting to loopback addresses.
As a temporary workaround, set
sso.autheliaAuth and sso.authentikAuth to false in the config.yaml file if SSO is not required.Exploit
Fix
Missing Authentication
Origin Validation Error
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Authelia
Authentik
Sillytavern