CVE-2026-35050
Arbitrary File Overwrite in text-generation-webui Enables Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oobabooga | textgen | to 4.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35050 is a critical Remote Code Execution (RCE) vulnerability in the text-generation-webui package (versions β€ 4.1). It arises from a path traversal flaw in the feature that allows users to save extension settings in a "py" format within the application root directory. This flaw enables an attacker to overwrite arbitrary Python files, such as "download-model.py".
The overwritten Python file can then be executed from the "Model" menu when downloading a new model, allowing a remote attacker with access to the Web UI to execute arbitrary code on the backend server with the application's privileges.
The vulnerability exists because the backend does not properly validate file paths and names, relying only on frontend checks that can be bypassed. This improper limitation of pathname to a restricted directory is classified under CWE-22.
How can this vulnerability impact me? :
This vulnerability allows an attacker with access to the Web UI to execute arbitrary Python code on the backend server with the application's privileges.
As a result, the attacker could gain full control over the server, potentially accessing, modifying, or deleting all data available to the application.
The impact includes a complete compromise of confidentiality, integrity, and availability of the system, as reflected by the CVSS score of 9.1 (Critical).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal and arbitrary file overwrite feature in the text-generation-webui application prior to version 4.1.1.
- Run the application and navigate to "Session" -> "Save extension settings to user_data/settings.yaml".
- Use browser developer tools to enable editing of the normally disabled "File Folder" field.
- Set "File Folder" to "./" and "File Name" to "download-model.py".
- Insert malicious Python code such as `import os; os.system("touch /tmp/proof-of-concept.txt")` into the "File contents" field.
- Trigger execution by attempting to download any model from the "Model" menu.
- Check the server for the presence of the file "/tmp/proof-of-concept.txt" to confirm code execution.
Alternatively, intercept and modify the POST request to `/queue/join` using a web proxy like Burp Suite to change the file path and contents, then trigger execution and verify similarly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the "Save extension settings" functionality to prevent saving files in arbitrary locations.
- Restrict saving only to a fixed, unchangeable file.
- Implement strict backend validation of the "File Folder" and "File Name" fields, ensuring filenames end with ".yaml".
- Enforce path traversal protections by verifying that resolved file paths remain within a designated safe directory, for example by checking if `os.path.commonprefix((os.path.realpath(requested_path), safe_dir)) == safe_dir` before processing.
- Avoid relying solely on frontend validation, as it can be bypassed by attackers.
Upgrading to version 4.1.1 or later, where this vulnerability is fixed, is strongly recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with access to the Web UI to execute arbitrary code on the backend server with the application's privileges, potentially gaining full control over the server and access to all data available to the application.
Such unauthorized access and control over sensitive data can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information.
Therefore, if exploited, this vulnerability could compromise data confidentiality, integrity, and availability, resulting in non-compliance with these regulations.