CVE-2026-35486 HIGH

CVE-2026-35486: text-generation-webui has a SSRF in superbooga/superboogav2 extensions — no URL validation

Vendor Oobabooga
Product text-generation-webui
Weakness CWE-918 · SSRF
Published April 7, 2026
Last update April 9, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 9, 2026 Record updated

Related vulnerabilities

04Related CVE