CVE-2026-35486
Server-Side Request Forgery in text-generation-webui RAG Extensions
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oobabooga | text_generation_web_ui | to 4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35486 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the superbooga and superboogav2 extensions of the text-generation-webui project prior to version 4.3.
These extensions fetch user-supplied URLs using Python's requests.get() function without any validation such as checking the URL scheme, filtering IP addresses, or allowing only certain hostnames.
Because of this lack of validation, an attacker can supply malicious URLs that cause the server to access sensitive internal resources like cloud metadata endpoints (for example, AWS's 169.254.169.254), which can lead to stealing IAM credentials or probing internal services.
The fetched content is then parsed and stored in the system's database and injected into the language model's context, allowing the attacker to exfiltrate data through the language model's outputs.
This vulnerability can be exploited without any authentication and can be used to perform concurrent internal network scanning and data exfiltration.
The issue was fixed in version 4.3 by applying existing URL validation functions that check hostname resolution, IP address ranges, URL schemes, and redirects.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive internal resources and cloud metadata endpoints.
An attacker can steal IAM credentials, which can lead to further compromise of cloud infrastructure and services.
It also allows attackers to probe internal services, potentially discovering other vulnerabilities or sensitive information.
Since the exfiltrated data is injected into the language model's context and can be revealed through its outputs, sensitive information leakage is a significant risk.
The vulnerability requires no authentication and has low attack complexity, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected outbound HTTP requests initiated by the superbooga or superboogav2 extensions fetching user-supplied URLs without validation.
A proof of concept involves the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ being fetched, which indicates exploitation attempts to access cloud metadata endpoints.
To detect exploitation attempts on your system, you can monitor network traffic for requests to internal IP addresses such as 169.254.169.254 or other cloud metadata endpoints.
- Use network monitoring tools like tcpdump or Wireshark to filter HTTP requests to internal IPs: tcpdump -i any host 169.254.169.254 and port 80
- Check application logs for requests made by the superbooga extensions to suspicious URLs.
- Search for stored data in ChromaDB or logs that contain cloud metadata or IAM credentials, which may indicate exfiltration.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the text-generation-webui to version 4.3 or later, where this vulnerability is fixed.
The fix involves applying URL validation before fetching user-supplied URLs in the superbooga and superboogav2 extensions by importing and using the existing _validate_url() function from modules/web_search.py.
Until the upgrade or patch is applied, restrict network access from the text-generation-webui server to internal IP ranges and cloud metadata endpoints to prevent SSRF exploitation.
Additionally, monitor and audit any suspicious activity or data exfiltration attempts related to these extensions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to access sensitive internal resources such as cloud metadata endpoints and steal IAM credentials, which can lead to unauthorized access to confidential data. This unauthorized data exposure could potentially violate data protection regulations like GDPR and HIPAA that require strict controls over personal and sensitive information.
Since the exfiltrated content is stored and accessible through the language modelβs context, it increases the risk of data leakage, which may result in non-compliance with confidentiality and data protection requirements mandated by these standards.
Therefore, organizations using vulnerable versions of text-generation-webui prior to 4.3 may face compliance risks if sensitive data is exposed or stolen due to this SSRF vulnerability.