CVE-2026-35484
Path Traversal in text-generation-webui Exposes Sensitive YAML Data
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oobabooga | textgen | to 4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35484 is a path traversal vulnerability in the load_preset() function of the text-generation-webui package versions prior to 4.3.
The vulnerability arises because the function constructs a file path using a user-supplied 'name' parameter without properly sanitizing it, allowing an attacker to manipulate the path to access files outside the intended directory.
Specifically, an attacker can submit a crafted API request with a path traversal payload (e.g., name="../../secret/db_config") to read arbitrary .yaml files on the server filesystem.
The server then parses the targeted YAML file and returns all key-value pairs, including sensitive data such as passwords, API keys, and connection strings, in the API response.
No authentication is required to exploit this vulnerability, making it accessible to unauthenticated attackers.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored in YAML configuration files on the server.
Since YAML files often contain critical data such as passwords, API keys, connection strings, Kubernetes manifests, Docker Compose files, and CI/CD configurations, an attacker can exfiltrate these secrets.
Because no authentication is required, any attacker with network access to the vulnerable service can exploit this flaw.
The impact is primarily confidentiality loss, which could lead to further compromise of systems or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal in the load_preset() API endpoint by sending crafted requests with path traversal payloads in the 'name' parameter.
For example, you can use curl or similar tools to send a request to the vulnerable API endpoint with a payload like name="../../secret/db_config" to see if arbitrary YAML files outside the intended directory are returned.
A sample command might be:
- curl -X POST "http://<target-server>/api/load_preset" -d "name=../../secret/db_config"
If the response contains YAML key-value pairs from files outside the presets directory, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read arbitrary YAML files on the server, which may contain sensitive data such as passwords, API keys, and connection strings.
This unauthorized disclosure of sensitive configuration data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding of sensitive information and prevention of unauthorized access.
Since the vulnerability exposes confidential information without authentication, it increases the risk of data breaches and could result in violations of confidentiality requirements mandated by these regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the text-generation-webui package to version 4.3 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, apply sanitization to the 'name' parameter in the load_preset() function to prevent directory traversal, such as using os.path.basename(name) before constructing the file path.
Additionally, restrict access to the API endpoint to trusted users or networks to reduce exposure.