Security Flaw in text-generation-webui RAG Extensions by oobabooga
CVE-2026-35486

7.5HIGH

Key Information:

Vendor: Oobabooga
Status: Text-generation-webui
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35486?

A security vulnerability exists in text-generation-webui, specifically within the RAG extensions known as superbooga and superboogav2. Prior to version 4.3, these extensions utilize requests.get() to fetch user-supplied URLs without any form of validation, allowing attackers to access sensitive information. This includes the potential to expose cloud metadata endpoints, steal IAM credentials, and probe internal services, as the fetched content is indiscriminately exfiltrated through the RAG pipeline. Users are advised to upgrade to version 4.3 or later to mitigate these risks.

Affected Version(s)

text-generation-webui < 4.3

References

https://github.com/oobabooga/text-generation-webui/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35486 Data

JSON

Oobabooga

What is CVE-2026-35486?

Affected Version(s)

References

CVSS V3.1

Timeline