Cyber Resilience

CVE-2026-35050

CriticalPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0044 34.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35050 is a critical-severity Path Traversal (CWE-22) vulnerability in Oobabooga Textgen. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35050 is a path traversal vulnerability (CWE-22) affecting text-generation-webui, an open-source web interface for running Large Language Models, in versions prior to 4.1.1. The issue allows users to save extension settings in Python (.py) format directly into the application root directory, enabling the overwriting of critical Python files such as download-model.py. This flaw has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

An attacker with high privileges (PR:H), such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By overwriting a Python file like download-model.py and then triggering its execution via the "Model" menu during a model download request, the attacker achieves arbitrary code execution with scoped impact, potentially compromising confidentiality, integrity, and availability at a high level.

The vulnerability is fixed in text-generation-webui version 4.1.1. Security practitioners should consult the GitHub security advisory at https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv for detailed patch information and mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could…

more

be overwritten. Then, this python file can be triggered to get executed from "Model" menu when requesting to download a new model. This vulnerability is fixed in 4.1.1.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: text-generation-webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Path traversal in public-facing web app enables RCE by overwriting and executing Python script (download-model.py) via app trigger.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-10902Shared CWE-22
CVE-2026-35486Same vendor: Oobabooga
CVE-2026-7524Shared CWE-22
CVE-2025-27783Shared CWE-22
CVE-2025-27782Shared CWE-22
CVE-2026-42048Shared CWE-22
CVE-2024-10361Shared CWE-22
CVE-2026-24478Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2026-29871Shared CWE-22

Affected Assets

oobabooga
textgen
≤ 4.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs during extension settings saves to block path traversal attempts that enable overwriting Python files in the application root directory.

prevent

Enforces least privilege to prevent high-privilege (PR:H) users from writing to critical directories like the app root, blocking exploitation.

detect

Monitors software integrity of critical files like download-model.py to detect unauthorized overwrites from path traversal exploits.

References