CVE-2026-35050 Overview
CVE-2026-35050 affects text-generation-webui, an open-source web interface for running Large Language Models (LLMs) maintained by oobabooga. Authenticated users can save extension settings as .py files in the application root directory. This behavior allows attackers to overwrite existing Python files, such as download-model.py, with attacker-controlled code. The overwritten file is subsequently executed when a user requests a model download from the Model menu. The flaw is classified as a path traversal weakness [CWE-22] and is fixed in version 4.1.1.
Critical Impact
Authenticated attackers can achieve arbitrary code execution on the host by overwriting trusted Python files that the application invokes during normal workflows.
Affected Products
- oobabooga text-generation-webui versions prior to 4.1.1
- Deployments exposing the web interface to multi-user or networked environments
- Self-hosted LLM stacks built on top of text-generation-webui
Discovery Timeline
- 2026-04-06 - CVE-2026-35050 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35050
Vulnerability Analysis
The vulnerability resides in the extension settings save functionality of text-generation-webui. The application permits users to persist settings under filenames ending in .py and writes those files to the application root directory. Because the root directory contains operational Python scripts used by the application, the save routine effectively grants write access to executable code paths. An authenticated user can supply a filename matching an existing application script, such as download-model.py, and replace its contents with arbitrary Python. The replaced file is invoked the next time a user triggers a model download from the Model menu, resulting in execution of attacker-supplied code in the server process context.
Root Cause
The root cause is insufficient validation of the destination filename and directory when saving extension settings. The application does not constrain the output path to a dedicated, non-executable settings directory and does not reject filenames that collide with existing Python source files. The combination of arbitrary file write [CWE-22] and a dynamically invoked Python module produces a write-what-where condition that translates directly into code execution.
Attack Vector
The attack vector is network-based and requires low-privilege authentication on the web interface. An attacker with access to the settings save endpoint submits a crafted settings payload using a filename of a Python script in the application root. The attacker then triggers, or waits for any user to trigger, the model download workflow. Execution occurs under the privileges of the process running text-generation-webui, which typically has access to model files, API keys, and the host filesystem.
No verified proof-of-concept code is published. See the vendor advisory for technical details:
[GitHub Security Advisory GHSA-jg96-p5p6-q3cv](https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv)
Detection Methods for CVE-2026-35050
Indicators of Compromise
- Unexpected modification timestamps on Python files in the text-generation-webui root directory, particularly download-model.py.
- New or modified .py files appearing under the application root that match extension setting names.
- Outbound network connections or child processes spawned by the text-generation-webui Python process that do not align with normal model download activity.
Detection Strategies
- Monitor file integrity on the text-generation-webui installation directory and alert on writes to any file with a .py extension.
- Inspect web access logs for POST requests to extension settings save endpoints with filenames matching known application scripts.
- Hunt for anomalous process lineage where the web server interpreter spawns shells, package managers, or networking utilities.
Monitoring Recommendations
- Enable verbose application logging and forward logs to a centralized SIEM for retention and correlation.
- Track installed version strings of text-generation-webui across hosts and alert on any instance below 4.1.1.
- Baseline outbound connections from LLM hosts and review deviations, since exfiltration commonly follows code execution on AI infrastructure.
How to Mitigate CVE-2026-35050
Immediate Actions Required
- Upgrade text-generation-webui to version 4.1.1 or later on all hosts.
- Restrict access to the web interface using network controls and require strong authentication for every account.
- Audit the application root directory for unauthorized changes to Python files and restore from known-good sources if tampering is suspected.
- Rotate any credentials, API tokens, or model access keys stored on affected hosts.
Patch Information
The maintainers fixed the issue in text-generation-webui version 4.1.1. Refer to the GitHub Security Advisory GHSA-jg96-p5p6-q3cv for the official remediation guidance and patch references.
Workarounds
- Limit interface access to trusted administrators only until the upgrade is applied.
- Run text-generation-webui under a dedicated unprivileged service account with read-only permissions on the application directory where feasible.
- Place the application behind a reverse proxy that enforces authentication and rate limiting on settings-related endpoints.
# Upgrade text-generation-webui to the patched version
cd /path/to/text-generation-webui
git fetch --tags
git checkout v4.1.1
pip install -r requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
