CVE-2026-35485
Published: 07 April 2026
Summary
CVE-2026-35485 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35485 is an unauthenticated path traversal vulnerability in the load_grammar() function of text-generation-webui, an open-source web interface for running Large Language Models. Versions prior to 4.3 are affected, where the vulnerability stems from a lack of server-side validation of dropdown values in Gradio, allowing arbitrary file reads on the server filesystem without extension restrictions.
An unauthenticated remote attacker can exploit this by sending POST requests with directory traversal payloads, such as "../../../etc/passwd", via the API endpoint. Successful exploitation results in the full contents of the targeted file being returned in the response, enabling unauthorized access to sensitive data like configuration files or system information.
The GitHub security advisory for text-generation-webui states that the vulnerability is fixed in version 4.3, recommending users upgrade to this or later versions for mitigation.
This issue is particularly relevant to deployments of AI/ML inference tools, as text-generation-webui is commonly used to host LLM interfaces exposed over networks. No real-world exploitation has been reported in available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19669
Vulnerability details
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the server filesystem with no extension restriction. Gradio does not server-side validate dropdown values,…
more
so an attacker can POST directory traversal payloads (e.g., ../../../etc/passwd) via the API and receive the full file contents in the response. This vulnerability is fixed in 4.3.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gradio, text-generation-webui
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated path traversal in public-facing web UI (Gradio) enables remote arbitrary file reads, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for retrieving sensitive files like configs or system data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the lack of server-side validation in load_grammar() by requiring validation of dropdown inputs to block directory traversal payloads like ../../../etc/passwd.
Mitigates the vulnerability by requiring identification, reporting, and correction of the specific flaw fixed in text-generation-webui version 4.3.
Enforces logical access controls to limit file reads to authorized resources, countering unauthorized access enabled by the path traversal vulnerability.