https://feed.craftedsignal.io/tags/text-generation-webui/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 07 Apr 2026 16:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-ssrf/Tue, 07 Apr 2026 16:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-ssrf/The text-generation-webui application before version 4.3 is vulnerable to server-side request forgery (SSRF) due to insufficient validation of user-supplied URLs by the superbooga and superboogav2 RAG extensions, potentially leading to credential theft and internal network reconnaissance.The text-generation-webui application is an open-source web interface for running Large Language Models (LLMs). Prior to version 4.3, the superbooga and superboogav2 RAG (Retrieval-Augmented Generation) extensions are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. These extensions fetch user-provided URLs using the requests.get() function without proper validation. Specifically, there are no checks for URL schemes (e.g., file://, gopher://), IP address filtering, or hostname whitelisting. This lack of validation allows a malicious actor to craft URLs that target internal resources, cloud metadata endpoints (e.g., AWS, Azure, GCP), and other sensitive services. Successful exploitation can lead to the exfiltration of sensitive data, including IAM credentials, and allow an attacker to probe internal network infrastructure. Version 4.3 of text-generation-webui addresses this vulnerability.

Attack Chain

1. An attacker identifies an instance of text-generation-webui running a vulnerable version (prior to 4.3) with the superbooga or superboogav2 RAG extension enabled.
2. The attacker crafts a malicious URL targeting a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/).
3. The attacker injects the malicious URL into a text-generation-webui RAG extension user input field.
4. The application, using the requests.get() function, fetches the content from the attacker-controlled URL without validation.
5. The cloud metadata, containing potentially sensitive information like temporary IAM credentials, is retrieved by the application.
6. The retrieved data is processed through the RAG pipeline.
7. The attacker leverages the RAG pipeline to extract the content from the application.
8. The attacker uses the exfiltrated credentials to access and compromise other resources within the victim’s cloud environment.

Impact

Successful exploitation of CVE-2026-35486 can have significant consequences. An attacker can potentially gain unauthorized access to cloud resources by stealing IAM credentials. This could lead to data breaches, service disruption, and financial loss. The vulnerability affects any text-generation-webui instance running a version prior to 4.3 with the vulnerable RAG extensions enabled, impacting individuals and organizations utilizing this software for LLM-based applications.

Recommendation

• Upgrade text-generation-webui to version 4.3 or later to remediate the SSRF vulnerability (CVE-2026-35486).
• Deploy the Sigma rule “Detect text-generation-webui SSRF Attempt” to your SIEM to detect exploitation attempts targeting cloud metadata endpoints.
• Monitor web server logs for outbound connections to internal IP addresses (e.g., 169.254.169.254) originating from the text-generation-webui application.

]]>highadvisoryssrftext-generation-webuicve-2026-35486cloudhttps://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-path-traversal/Mon, 06 Apr 2026 18:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-text-generation-webui-path-traversal/text-generation-webui versions prior to 4.1.1 are vulnerable to path traversal, allowing a high-privileged user to overwrite Python files and achieve arbitrary code execution by triggering the 'download-model.py' file through the application's 'Model' menu.The text-generation-webui application, an open-source web interface for running Large Language Models, contains a path traversal vulnerability (CVE-2026-35050) in versions prior to 4.1.1. A high-privileged user can exploit this vulnerability by saving extension settings in “.py” format within the application’s root directory. This allows them to overwrite existing Python files, most notably “download-model.py”. Subsequently, the overwritten “download-model.py” file can be executed by initiating a new model download through the application’s “Model” menu. Successful exploitation leads to arbitrary code execution within the context of the application. This vulnerability was patched in version 4.1.1.

Attack Chain

1. Attacker authenticates to the text-generation-webui application with high privileges.
2. Attacker crafts a malicious Python script (e.g., containing reverse shell code).
3. Attacker saves the malicious script as an extension setting in “.py” format, leveraging path traversal to target the application’s root directory. The filename is chosen to overwrite “download-model.py”.
4. The application saves the malicious “.py” file, overwriting the original “download-model.py” in the application root.
5. Attacker navigates to the “Model” menu within the text-generation-webui.
6. Attacker initiates the download of a new model, triggering the execution of the (now compromised) “download-model.py” file.
7. The malicious Python code within “download-model.py” executes, granting the attacker arbitrary code execution on the server.
8. The attacker establishes a reverse shell connection to their controlled system, achieving full system compromise.

Impact

Successful exploitation of CVE-2026-35050 allows a high-privileged attacker to achieve arbitrary code execution on the server hosting the text-generation-webui application. This could lead to complete system compromise, data exfiltration, and denial of service. The impact is critical due to the ease of exploitation and the potential for significant damage. Organizations using vulnerable versions of text-generation-webui are at risk of having their systems compromised.

Recommendation

• Immediately upgrade text-generation-webui to version 4.1.1 or later to patch CVE-2026-35050.
• Implement strict file permission controls to prevent unauthorized modification of critical application files, mitigating similar path traversal vulnerabilities.
• Monitor web server logs for unusual file creation events in the application root directory to detect potential exploitation attempts (see example Sigma rule below targeting file creation in the webserver category).
• Inspect network connections originating from the text-generation-webui server for suspicious outbound connections, which could indicate a reverse shell or other malicious activity resulting from code execution. Deploy the provided Sigma rule to detect such connections.

]]>criticaladvisorypath traversalcode executiontext-generation-webui