CVE-2026-35485: text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticate
Summary
text-generation-webui, an open-source web interface for running Large Language Models, has a path traversal vulnerability (a security flaw where an attacker can access files outside the intended directory) in versions before 4.3. An unauthenticated attacker can exploit this by sending specially crafted requests through the API to read any file on the server, because Gradio (the framework it uses) does not validate user input on the server side.
Solution / Mitigation
Update text-generation-webui to version 4.3 or later, where this vulnerability is fixed.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
network
low
none
none
April 7, 2026
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35485
First tracked: April 7, 2026 at 02:08 PM
Classified by LLM (prompt v3) · confidence: 95%