Unauthenticated Path Traversal Vulnerability in text-generation-webui by oobabooga
CVE-2026-35487

5.3MEDIUM

Key Information:

Vendor: Oobabooga
Status: Text-generation-webui
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35487?

The text-generation-webui, developed by oobabooga, is vulnerable to an unauthenticated path traversal issue that affects versions prior to 4.3. This vulnerability allows an attacker to read any .txt file located on the server's filesystem through the load_prompt() function. The contents of these files are returned directly in the API response, potentially exposing sensitive information. Users are strongly advised to upgrade to version 4.3 or later to mitigate this risk.

Affected Version(s)

text-generation-webui < 4.3

References

https://github.com/oobabooga/text-generation-webui/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35487 Data

JSON

Oobabooga

What is CVE-2026-35487?

Affected Version(s)

References

CVSS V3.1

Timeline