Executive Summary

CVE-2026-35050 is a critical Remote Code Execution (RCE) vulnerability in the text-generation-webui package (versions ≤ 4.1). It arises from a path traversal flaw in the feature that allows users to save extension settings in a "py" format within the application root directory. This flaw enables an attacker to overwrite arbitrary Python files, such as "download-model.py".

The overwritten Python file can then be executed from the "Model" menu when downloading a new model, allowing a remote attacker with access to the Web UI to execute arbitrary code on the backend server with the application's privileges.

The vulnerability exists because the backend does not properly validate file paths and names, relying only on frontend checks that can be bypassed. This improper limitation of pathname to a restricted directory is classified under CWE-22.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with access to the Web UI to execute arbitrary Python code on the backend server with the application's privileges.

As a result, the attacker could gain full control over the server, potentially accessing, modifying, or deleting all data available to the application.

The impact includes a complete compromise of confidentiality, integrity, and availability of the system, as reflected by the CVSS score of 9.1 (Critical).

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal and arbitrary file overwrite feature in the text-generation-webui application prior to version 4.1.1.

• Run the application and navigate to "Session" -> "Save extension settings to user_data/settings.yaml".
• Use browser developer tools to enable editing of the normally disabled "File Folder" field.
• Set "File Folder" to "./" and "File Name" to "download-model.py".
• Insert malicious Python code such as `import os; os.system("touch /tmp/proof-of-concept.txt")` into the "File contents" field.
• Trigger execution by attempting to download any model from the "Model" menu.
• Check the server for the presence of the file "/tmp/proof-of-concept.txt" to confirm code execution.

Alternatively, intercept and modify the POST request to `/queue/join` using a web proxy like Burp Suite to change the file path and contents, then trigger execution and verify similarly.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the "Save extension settings" functionality to prevent saving files in arbitrary locations.

• Restrict saving only to a fixed, unchangeable file.
• Implement strict backend validation of the "File Folder" and "File Name" fields, ensuring filenames end with ".yaml".
• Enforce path traversal protections by verifying that resolved file paths remain within a designated safe directory, for example by checking if `os.path.commonprefix((os.path.realpath(requested_path), safe_dir)) == safe_dir` before processing.
• Avoid relying solely on frontend validation, as it can be bypassed by attackers.

Upgrading to version 4.1.1 or later, where this vulnerability is fixed, is strongly recommended.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with access to the Web UI to execute arbitrary code on the backend server with the application's privileges, potentially gaining full control over the server and access to all data available to the application.

Such unauthorized access and control over sensitive data can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could compromise data confidentiality, integrity, and availability, resulting in non-compliance with these regulations.

Useful 0 Not Useful 0