CVE-2026-35486
Published: 07 April 2026
Summary
CVE-2026-35486 is a high-severity SSRF (CWE-918) vulnerability in Oobabooga Text Generation Web Ui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied URLs to prevent SSRF by enforcing checks on scheme, IP, and hostname before fetching content via requests.get().
Enforces flow control policies that block unauthorized server-side requests to internal cloud metadata endpoints or services from the RAG extensions.
Deploys boundary protection devices like proxies or WAFs to monitor and restrict outbound communications exploited in SSRF attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (RAG extensions) directly enables T1190 for initial exploitation; allows access to cloud metadata for IAM credentials (T1552.005); facilitates internal network probing (T1018) and service enumeration (T1046) via arbitrary unauthenticated HTTP requests.
NVD Description
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker…
more
can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.
Deeper analysisAI
CVE-2026-35486 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the open-source text-generation-webui, a web interface for running large language models. In versions prior to 4.3, the superbooga and superboogav2 Retrieval-Augmented Generation (RAG) extensions fetch user-supplied URLs using requests.get() without any validation, including no scheme checks, IP filtering, or hostname allowlists. This allows arbitrary HTTP requests to internal or external resources. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with no requirements for authentication or user interaction.
A remote, unauthenticated attacker can exploit this by supplying malicious URLs through the RAG extensions, tricking the server-side application into making requests to attacker-controlled endpoints. Successful exploitation enables access to cloud metadata services (such as those exposing IAM credentials), internal network probing, and service enumeration. The fetched content is then exfiltrated via the RAG pipeline, potentially leaking sensitive data like credentials or internal configurations to the attacker.
The official GitHub security advisory (GHSA-jvrj-w5hq-6cp2) confirms the issue is fully resolved in text-generation-webui version 4.3, which introduces proper URL validation. Security practitioners should immediately upgrade affected instances to 4.3 or later and review logs for suspicious RAG extension usage, particularly in cloud-hosted deployments running large language models.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: rag pipeline