CVE-2026-35486

Name of the Vulnerable Software and Affected Versions text-generation-webui versions prior to 4.3

Description text-generation-webui is an open-source web interface for running Large Language Models. The superbooga and superboogav2 RAG extensions, in versions prior to 4.3, retrieve user-provided URLs using requests.get() without any validation. This includes a lack of scheme checking, IP filtering, or hostname allowlisting. This allows an attacker to access cloud metadata endpoints, potentially stealing IAM credentials and probing internal services. The retrieved content is then exfiltrated through the RAG pipeline.

Recommendations Update to version 4.3 or later.