Cyber Resilience

CVE-2026-35486

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 5.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35486 is a high-severity SSRF (CWE-918) vulnerability in Oobabooga Text Generation Web Ui. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35486 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the open-source text-generation-webui, a web interface for running large language models. In versions prior to 4.3, the superbooga and superboogav2 Retrieval-Augmented Generation (RAG) extensions fetch user-supplied URLs using requests.get() without any validation, including no scheme checks, IP filtering, or hostname allowlists. This allows arbitrary HTTP requests to internal or external resources. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for authentication or user interaction.

A remote, unauthenticated attacker can exploit this by supplying malicious URLs through the RAG extensions, tricking the server-side application into making requests to attacker-controlled endpoints. Successful exploitation enables access to cloud metadata services (such as those exposing IAM credentials), internal network probing, and service enumeration. The fetched content is then exfiltrated via the RAG pipeline, potentially leaking sensitive data like credentials or internal configurations to the attacker.

The official GitHub security advisory (GHSA-jvrj-w5hq-6cp2) confirms the issue is fully resolved in text-generation-webui version 4.3, which introduces proper URL validation. Security practitioners should immediately upgrade affected instances to 4.3 or later and review logs for suspicious RAG extension usage, particularly in cloud-hosted deployments running large language models.

EU & UK References

Vulnerability details

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker…

more

can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: rag pipeline, text-generation-webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web app (RAG extensions) directly enables T1190 for initial exploitation; allows access to cloud metadata for IAM credentials (T1552.005); facilitates internal network probing (T1018) and service enumeration (T1046) via arbitrary unauthenticated HTTP requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30247Shared CWE-918
CVE-2026-27488Shared CWE-918
CVE-2026-41271Shared CWE-918
CVE-2026-26322Shared CWE-918
CVE-2026-30834Shared CWE-918
CVE-2026-25580Shared CWE-918
CVE-2026-34577Shared CWE-918
CVE-2026-28451Shared CWE-918
CVE-2026-31829Shared CWE-918
CVE-2026-4231Shared CWE-918

Affected Assets

oobabooga
text generation web ui
≤ 4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied URLs to prevent SSRF by enforcing checks on scheme, IP, and hostname before fetching content via requests.get().

prevent

Enforces flow control policies that block unauthorized server-side requests to internal cloud metadata endpoints or services from the RAG extensions.

prevent

Deploys boundary protection devices like proxies or WAFs to monitor and restrict outbound communications exploited in SSRF attacks.

References