{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/text-generation-webui/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35486"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","text-generation-webui","cve-2026-35486","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe text-generation-webui application is an open-source web interface for running Large Language Models (LLMs). Prior to version 4.3, the superbooga and superboogav2 RAG (Retrieval-Augmented Generation) extensions are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. These extensions fetch user-provided URLs using the \u003ccode\u003erequests.get()\u003c/code\u003e function without proper validation. Specifically, there are no checks for URL schemes (e.g., \u003ccode\u003efile://\u003c/code\u003e, \u003ccode\u003egopher://\u003c/code\u003e), IP address filtering, or hostname whitelisting. This lack of validation allows a malicious actor to craft URLs that target internal resources, cloud metadata endpoints (e.g., AWS, Azure, GCP), and other sensitive services. Successful exploitation can lead to the exfiltration of sensitive data, including IAM credentials, and allow an attacker to probe internal network infrastructure. Version 4.3 of text-generation-webui addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of text-generation-webui running a vulnerable version (prior to 4.3) with the superbooga or superboogav2 RAG extension enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious URL into a text-generation-webui RAG extension user input field.\u003c/li\u003e\n\u003cli\u003eThe application, using the \u003ccode\u003erequests.get()\u003c/code\u003e function, fetches the content from the attacker-controlled URL without validation.\u003c/li\u003e\n\u003cli\u003eThe cloud metadata, containing potentially sensitive information like temporary IAM credentials, is retrieved by the application.\u003c/li\u003e\n\u003cli\u003eThe retrieved data is processed through the RAG pipeline.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the RAG pipeline to extract the content from the application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated credentials to access and compromise other resources within the victim\u0026rsquo;s cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35486 can have significant consequences. An attacker can potentially gain unauthorized access to cloud resources by stealing IAM credentials. This could lead to data breaches, service disruption, and financial loss. The vulnerability affects any text-generation-webui instance running a version prior to 4.3 with the vulnerable RAG extensions enabled, impacting individuals and organizations utilizing this software for LLM-based applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade text-generation-webui to version 4.3 or later to remediate the SSRF vulnerability (CVE-2026-35486).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect text-generation-webui SSRF Attempt\u0026rdquo; to your SIEM to detect exploitation attempts targeting cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for outbound connections to internal IP addresses (e.g., 169.254.169.254) originating from the text-generation-webui application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T16:16:26Z","date_published":"2026-04-07T16:16:26Z","id":"/briefs/2026-04-text-generation-webui-ssrf/","summary":"The text-generation-webui application before version 4.3 is vulnerable to server-side request forgery (SSRF) due to insufficient validation of user-supplied URLs by the superbooga and superboogav2 RAG extensions, potentially leading to credential theft and internal network reconnaissance.","title":"text-generation-webui SSRF Vulnerability (CVE-2026-35486)","url":"https://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35050"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path traversal","code execution","text-generation-webui"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe text-generation-webui application, an open-source web interface for running Large Language Models, contains a path traversal vulnerability (CVE-2026-35050) in versions prior to 4.1.1. A high-privileged user can exploit this vulnerability by saving extension settings in \u0026ldquo;.py\u0026rdquo; format within the application\u0026rsquo;s root directory. This allows them to overwrite existing Python files, most notably \u0026ldquo;download-model.py\u0026rdquo;. Subsequently, the overwritten \u0026ldquo;download-model.py\u0026rdquo; file can be executed by initiating a new model download through the application\u0026rsquo;s \u0026ldquo;Model\u0026rdquo; menu. Successful exploitation leads to arbitrary code execution within the context of the application. This vulnerability was patched in version 4.1.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the text-generation-webui application with high privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Python script (e.g., containing reverse shell code).\u003c/li\u003e\n\u003cli\u003eAttacker saves the malicious script as an extension setting in \u0026ldquo;.py\u0026rdquo; format, leveraging path traversal to target the application\u0026rsquo;s root directory. The filename is chosen to overwrite \u0026ldquo;download-model.py\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe application saves the malicious \u0026ldquo;.py\u0026rdquo; file, overwriting the original \u0026ldquo;download-model.py\u0026rdquo; in the application root.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u0026ldquo;Model\u0026rdquo; menu within the text-generation-webui.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the download of a new model, triggering the execution of the (now compromised) \u0026ldquo;download-model.py\u0026rdquo; file.\u003c/li\u003e\n\u003cli\u003eThe malicious Python code within \u0026ldquo;download-model.py\u0026rdquo; executes, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell connection to their controlled system, achieving full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35050 allows a high-privileged attacker to achieve arbitrary code execution on the server hosting the text-generation-webui application. This could lead to complete system compromise, data exfiltration, and denial of service. The impact is critical due to the ease of exploitation and the potential for significant damage. Organizations using vulnerable versions of text-generation-webui are at risk of having their systems compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade text-generation-webui to version 4.1.1 or later to patch CVE-2026-35050.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls to prevent unauthorized modification of critical application files, mitigating similar path traversal vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file creation events in the application root directory to detect potential exploitation attempts (see example Sigma rule below targeting file creation in the webserver category).\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from the text-generation-webui server for suspicious outbound connections, which could indicate a reverse shell or other malicious activity resulting from code execution. Deploy the provided Sigma rule to detect such connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-text-generation-webui-path-traversal/","summary":"text-generation-webui versions prior to 4.1.1 are vulnerable to path traversal, allowing a high-privileged user to overwrite Python files and achieve arbitrary code execution by triggering the 'download-model.py' file through the application's 'Model' menu.","title":"text-generation-webui Path Traversal Vulnerability (CVE-2026-35050)","url":"https://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Text-Generation-Webui","version":"https://jsonfeed.org/version/1.1"}