CVE-2026-35050

CriticalPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0009 26.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35050 is a critical-severity Path Traversal (CWE-22) vulnerability in Oobabooga Textgen. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs during extension settings saves to block path traversal attempts that enable overwriting Python files in the application root directory.

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent high-privilege (PR:H) users from writing to critical directories like the app root, blocking exploitation.

SI-7 Software, Firmware, and Information Integrity good match

detect

Monitors software integrity of critical files like download-model.py to detect unauthorized overwrites from path traversal exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing web app enables RCE by overwriting and executing Python script (download-model.py) via app trigger.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could…

be overwritten. Then, this python file can be triggered to get executed from "Model" menu when requesting to download a new model. This vulnerability is fixed in 4.1.1.

Deeper analysisAI

CVE-2026-35050 is a path traversal vulnerability (CWE-22) affecting text-generation-webui, an open-source web interface for running Large Language Models, in versions prior to 4.1.1. The issue allows users to save extension settings in Python (.py) format directly into the application root directory, enabling the overwriting of critical Python files such as download-model.py. This flaw has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

An attacker with high privileges (PR:H), such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By overwriting a Python file like download-model.py and then triggering its execution via the "Model" menu during a model download request, the attacker achieves arbitrary code execution with scoped impact, potentially compromising confidentiality, integrity, and availability at a high level.

The vulnerability is fixed in text-generation-webui version 4.1.1. Security practitioners should consult the GitHub security advisory at https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv for detailed patch information and mitigation guidance.