CVE-2026-35486
Received Received - Intake
Server-Side Request Forgery in text-generation-webui RAG Extensions

Publication date: 2026-04-07

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation β€” no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35486
EUVD
EUVD-2026-19671
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oobabooga text_generation_web_ui to 4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to access sensitive internal resources such as cloud metadata endpoints and steal IAM credentials, which can lead to unauthorized access to confidential data. This unauthorized data exposure could potentially violate data protection regulations like GDPR and HIPAA that require strict controls over personal and sensitive information.

Since the exfiltrated content is stored and accessible through the language model’s context, it increases the risk of data leakage, which may result in non-compliance with confidentiality and data protection requirements mandated by these standards.

Therefore, organizations using vulnerable versions of text-generation-webui prior to 4.3 may face compliance risks if sensitive data is exposed or stolen due to this SSRF vulnerability.

Executive Summary

CVE-2026-35486 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the superbooga and superboogav2 extensions of the text-generation-webui project prior to version 4.3.

These extensions fetch user-supplied URLs using Python's requests.get() function without any validation such as checking the URL scheme, filtering IP addresses, or allowing only certain hostnames.

Because of this lack of validation, an attacker can supply malicious URLs that cause the server to access sensitive internal resources like cloud metadata endpoints (for example, AWS's 169.254.169.254), which can lead to stealing IAM credentials or probing internal services.

The fetched content is then parsed and stored in the system's database and injected into the language model's context, allowing the attacker to exfiltrate data through the language model's outputs.

This vulnerability can be exploited without any authentication and can be used to perform concurrent internal network scanning and data exfiltration.

The issue was fixed in version 4.3 by applying existing URL validation functions that check hostname resolution, IP address ranges, URL schemes, and redirects.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive internal resources and cloud metadata endpoints.

An attacker can steal IAM credentials, which can lead to further compromise of cloud infrastructure and services.

It also allows attackers to probe internal services, potentially discovering other vulnerabilities or sensitive information.

Since the exfiltrated data is injected into the language model's context and can be revealed through its outputs, sensitive information leakage is a significant risk.

The vulnerability requires no authentication and has low attack complexity, increasing the risk of exploitation.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected outbound HTTP requests initiated by the superbooga or superboogav2 extensions fetching user-supplied URLs without validation.

A proof of concept involves the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ being fetched, which indicates exploitation attempts to access cloud metadata endpoints.

To detect exploitation attempts on your system, you can monitor network traffic for requests to internal IP addresses such as 169.254.169.254 or other cloud metadata endpoints.

  • Use network monitoring tools like tcpdump or Wireshark to filter HTTP requests to internal IPs: tcpdump -i any host 169.254.169.254 and port 80
  • Check application logs for requests made by the superbooga extensions to suspicious URLs.
  • Search for stored data in ChromaDB or logs that contain cloud metadata or IAM credentials, which may indicate exfiltration.
Mitigation Strategies

The immediate mitigation step is to upgrade the text-generation-webui to version 4.3 or later, where this vulnerability is fixed.

The fix involves applying URL validation before fetching user-supplied URLs in the superbooga and superboogav2 extensions by importing and using the existing _validate_url() function from modules/web_search.py.

Until the upgrade or patch is applied, restrict network access from the text-generation-webui server to internal IP ranges and cloud metadata endpoints to prevent SSRF exploitation.

Additionally, monitor and audit any suspicious activity or data exfiltration attempts related to these extensions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart