AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-35050: text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save

criticalvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseApril 6, 2026CVE-2026-35050

Summary

text-generation-webui is an open-source web interface for running Large Language Models (AI systems that generate text). Before version 4.1.1, the application allowed users to save extension settings as Python files (code files that run on servers) in the main app directory, which could let attackers overwrite important Python files like 'download-model.py' and execute malicious code when users tried to download a new model.

Solution / Mitigation

This vulnerability is fixed in version 4.1.1.

Vulnerability Details

CVSS Score

9.1(critical)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

network

Attack Complexity

low

Privileges Required

high

User Interaction

none

Disclosure Date

April 6, 2026

Classification

Attack SophisticationTrivial

Impact (CIA+S)

integrityavailability

AI Component TargetedInference

Taxonomy References

CWE (Weakness Type)

CWE-22

CAPEC (Attack Pattern)

CAPEC-126

Affected Vendors

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35050

First tracked: April 6, 2026 at 08:08 PM

Classified by LLM (prompt v3) · confidence: 95%