Main Vulnerability Database Vulnerabilities #VU127425

Path traversal in Text Generation Web UI - CVE-2026-35487

Published: April 24, 2026

Vulnerability identifier: #VU127425

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-35487

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: oobabooga

Affected software:
Text Generation Web UI

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in load_prompt() when handling a crafted API request for a prompt filename. A remote attacker can send a specially crafted request with directory traversal sequences to disclose sensitive information.

The issue is limited to reading .txt files, and the file content is returned verbatim in the API response.

How to mitigate CVE-2026-35487

Install security update from vendor's website.

Sources

https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-mfgg-vvc6-vqq7

Path traversal in Text Generation Web UI - CVE-2026-35487

Detailed vulnerability description

How to mitigate CVE-2026-35487

Sources

Please verify you're human