Platform
python
Component
text-generation-webui
Fixed in
4.3.1
CVE-2026-35485 describes a Path Traversal vulnerability discovered in text-generation-webui, an open-source web interface for Large Language Models. This vulnerability allows an unauthenticated attacker to read arbitrary files on the server's filesystem. The issue affects versions prior to 4.3 and has been resolved in version 4.3.0.
The impact of this vulnerability is significant due to its unauthenticated nature and the ability to read any file on the server. An attacker could potentially access sensitive configuration files, source code, database credentials, or other confidential data. This could lead to complete compromise of the system and data exfiltration. The lack of server-side validation in Gradio's dropdown values makes exploitation straightforward, allowing attackers to craft directory traversal payloads via the API.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been confirmed, the ease of exploitation and the lack of authentication make it a potential target. The vulnerability was disclosed on 2026-04-07. No KEV listing is currently available.
Exploit Status
EPSS
0.48% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade text-generation-webui to version 4.3.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter out directory traversal attempts in API requests. Specifically, block requests containing sequences like '../' or similar path manipulation techniques. Regularly review and harden the server's file permissions to limit the potential damage if the vulnerability is exploited. After upgrade, confirm by attempting to access a sensitive file via the API and verifying that access is denied.
Actualice a la versión 4.3.0 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la falta de validación del lado del servidor de los valores del menú desplegable, evitando que los atacantes lean archivos arbitrarios del sistema de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35485 is a Path Traversal vulnerability in text-generation-webui versions before 4.3, allowing unauthenticated attackers to read any file on the server.
You are affected if you are using text-generation-webui versions prior to 4.3.0. Check your version and upgrade immediately.
Upgrade to text-generation-webui version 4.3.0 or later. Consider WAF rules as a temporary mitigation if upgrading is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the text-generation-webui project's repository and release notes for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.