High severity7.5NVD Advisory· Published Apr 7, 2026· Updated Apr 9, 2026

CVE-2026-35486

Description

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.

Affected products

Oobabooga/Text Generation Web Ui
cpe:2.3:a:oobabooga:text_generation_web_ui:*:*:*:*:*:*:*:*
Range: <4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jvrj-w5hq-6cp2nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000