Compliance Impact

This vulnerability allows unauthenticated attackers to read any file on the server filesystem, including sensitive files such as SSH private keys, environment files, API tokens, and application configurations.

Exposure of such sensitive information can lead to unauthorized access and data breaches, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data.

Since the vulnerability enables high confidentiality impact without requiring authentication, it increases the risk of non-compliance with these standards due to potential unauthorized data disclosure.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35485 is a high-severity path traversal vulnerability in the text-generation-webui project, specifically in the load_grammar() function before version 4.3.

The vulnerability arises because the load_grammar() function reads files based on a parameter that is not validated or sanitized. This parameter comes from a Gradio Dropdown component, but Gradio does not enforce server-side validation, allowing attackers to submit arbitrary directory traversal strings like '../../../etc/passwd'.

As a result, an unauthenticated attacker can send crafted POST requests to the API endpoint and read any file on the server filesystem without restriction on file extensions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to read any file accessible by the server process.

• Exposure of sensitive files such as /etc/passwd, SSH private keys (~/.ssh/id_rsa), .env files, API tokens, and application configuration files.
• Potential compromise of server confidentiality due to unauthorized file disclosure.
• Increased risk in default or cloud deployments where authentication is optional or the server is exposed remotely.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the unauthenticated path traversal in the load_grammar() API endpoint of the text-generation-webui server.

A practical detection method is to send a crafted POST request to the vulnerable endpoint with a directory traversal payload and observe if the server returns the contents of arbitrary files.

Example commands to test for the vulnerability include:

• Start the server (if testing locally): python server.py --listen-port 7861
• Send a POST request with a directory traversal payload: curl -X POST http://127.0.0.1:7861/gradio_api/call/load_grammar -H "Content-Type: application/json" -d '{"data": ["../../../etc/passwd"]}'
• Retrieve the file contents using the returned event_id: curl http://127.0.0.1:7861/gradio_api/call/load_grammar/<event_id>

If the contents of /etc/passwd or other sensitive files are returned, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the text-generation-webui to version 4.3 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, apply filename sanitization in the load_grammar() function by using os.path.basename(name) before constructing the file path to prevent directory traversal.

Additionally, restrict access to the server by enabling authentication (e.g., using the --gradio-auth option) and avoid exposing the server publicly without proper access controls.

Useful 0 Not Useful 0