CVE-2026-35487
Received Received - Intake
Path Traversal in text-generation-webui Allows Unauthorized File Access

Publication date: 2026-04-07

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_prompt() allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability is fixed in 4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35487
EUVD
EUVD-2026-19672
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oobabooga text_generation_web_ui to 4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary .txt files on the server filesystem, potentially exposing sensitive information such as API keys, environment notes, deployment logs, password lists, and license keys.

Exposure of sensitive data through this vulnerability could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Since the vulnerability enables data exfiltration without authentication, it increases the risk of data breaches that these regulations aim to prevent.

Executive Summary

CVE-2026-35487 is a path traversal vulnerability in the load_prompt() function of the text-generation-webui package (versions prior to 4.3). It allows an unauthenticated attacker to read any .txt file on the server filesystem by manipulating the filename parameter (fname) without proper sanitization.

The vulnerability occurs because the fname parameter is used to construct a file path without validating or sanitizing it, enabling attackers to escape the intended directory and access arbitrary .txt files. The file content is then returned verbatim in the API response.

This issue is fixed in version 4.3 by sanitizing the input filename to prevent directory traversal.

Impact Analysis

This vulnerability can allow attackers to read any .txt file accessible by the server process without authentication.

  • Attackers can exfiltrate sensitive information such as API keys, environment notes, deployment logs, password lists, and license keys if these are stored in .txt files.
  • Since no privileges or user interaction are required, the attack is relatively easy to perform remotely.

The confidentiality of sensitive data is compromised, although integrity and availability are not affected.

Detection Guidance

This vulnerability can be detected by sending crafted API requests to the text-generation-webui server that attempt to exploit the path traversal in the load_prompt() function.

Specifically, you can test by sending a POST request with a path traversal payload in the fname parameter, such as fname="../../secret/api_keys".

If the server returns the contents of an arbitrary .txt file outside the intended directory, the vulnerability is present.

Example command using curl to test the vulnerability:

  • curl -X POST -d "fname=../../secret/api_keys" http://<server-address>/api/load_prompt

Replace <server-address> with the actual address of your text-generation-webui server.

Mitigation Strategies

The immediate mitigation step is to upgrade the text-generation-webui package to version 4.3 or later, where this vulnerability is fixed.

The fix involves sanitizing the fname parameter by applying os.path.basename() before constructing the file path, preventing directory traversal.

Until you can upgrade, consider restricting access to the API endpoint to trusted users or networks to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart