CVE-2026-35486

text-generation-webui has a SSRF in superbooga/superboogav2 extensions — no URL validation

Description

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.

INFO

Published Date :

2026-04-07T14:49:37.805Z

Last Modified :

2026-04-09T14:37:31.599Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35486 vulnerability.

Vendors	Products
Oobabooga	Text-generation-webui Text Generation Web Ui

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35486.

URL	Resource
https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jvrj-w5hq-6cp2

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact