CVE-2026-35486: text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and
Summary
text-generation-webui, an open-source web interface for running Large Language Models, has a vulnerability in versions before 4.3 where the superbooga and superboogav2 RAG extensions (tools that fetch external documents to help answer questions) accept user-provided URLs without checking them for safety. This allows attackers to access cloud metadata endpoints (services that store sensitive credentials in cloud environments) and steal IAM credentials (identity and access management tokens that control what users can do). The vulnerability is fixed in version 4.3.
Solution / Mitigation
Update text-generation-webui to version 4.3 or later.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
network
low
none
none
April 7, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35486
First tracked: April 7, 2026 at 02:08 PM
Classified by LLM (prompt v3) · confidence: 92%