CVE-2026-35050 Overview
CVE-2026-35050 is a critical Path Traversal vulnerability affecting text-generation-webui, an open-source web interface for running Large Language Models. Prior to version 4.1.1, users can save extension settings in "py" format within the application root directory. This functionality lacks proper path validation, allowing attackers to overwrite arbitrary Python files on the system, including critical application files like download-model.py. Once overwritten, these malicious Python files can be triggered through the "Model" menu when requesting to download a new model, leading to remote code execution.
Critical Impact
Attackers with privileged access can achieve arbitrary code execution by overwriting Python files and triggering their execution through normal application workflows, potentially compromising the entire LLM hosting infrastructure.
Affected Products
- text-generation-webui versions prior to 4.1.1
- oobabooga/text-generation-webui (GitHub)
- Self-hosted LLM web interface deployments
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35050 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35050
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-22) in the extension settings save functionality. The application allows users to save extension settings files with a .py extension and does not properly sanitize the destination path. An attacker with high-privilege access to the web interface can craft a malicious save request that traverses outside the intended extension settings directory and overwrites critical Python files in the application root.
The attack chain is particularly dangerous because text-generation-webui naturally executes Python scripts as part of its model download functionality. By overwriting download-model.py with malicious code and then initiating a model download from the UI, an attacker can achieve arbitrary code execution within the context of the application. This could lead to complete system compromise, data exfiltration, or lateral movement within the network.
The vulnerability affects network-accessible deployments and requires high privileges to exploit, but once exploited, the impact crosses security boundaries affecting confidentiality, integrity, and availability of the system.
Root Cause
The root cause is a lack of proper path validation and sanitization when handling file save operations for extension settings. The application fails to:
- Restrict file extensions to safe formats only
- Validate that the destination path remains within the intended directory
- Implement proper canonicalization to prevent directory traversal sequences
This allows an attacker to use path traversal sequences (such as ../) to navigate outside the extensions directory and overwrite arbitrary files accessible by the application's process.
Attack Vector
The attack is network-based and requires authenticated access with high privileges. The exploitation process involves:
- Initial Access: An attacker gains authenticated access to the text-generation-webui interface with sufficient privileges to modify extension settings
- File Overwrite: The attacker crafts a malicious request to save extension settings, using path traversal to target download-model.py or another executable Python file
- Payload Injection: The saved "settings" file contains malicious Python code designed to execute arbitrary commands
- Trigger Execution: The attacker navigates to the Model menu and initiates a model download, which executes the overwritten Python file
- Code Execution: The malicious payload executes with the privileges of the web application process
The vulnerability manifests in the extension settings save handler, which accepts a user-controlled file path without proper validation. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35050
Indicators of Compromise
- Unexpected modifications to Python files in the text-generation-webui root directory, particularly download-model.py
- File integrity monitoring alerts for application Python files showing unauthorized changes
- Unusual extension settings save requests containing path traversal sequences (../) in logs
- Anomalous process execution spawned by the text-generation-webui process
Detection Strategies
- Implement file integrity monitoring (FIM) on all Python files within the text-generation-webui installation directory
- Monitor web application logs for extension settings save requests containing suspicious path patterns or .py file extensions
- Deploy endpoint detection rules to alert on modification of application files by the web server process
- Use SentinelOne's behavioral AI to detect anomalous code execution patterns originating from the LLM web interface
Monitoring Recommendations
- Enable verbose logging for all file operations within text-generation-webui
- Configure alerts for any write operations to Python files outside the designated extensions directory
- Implement real-time monitoring of the application root directory for unexpected file modifications
- Deploy network-level monitoring to detect suspicious API calls to extension settings endpoints
How to Mitigate CVE-2026-35050
Immediate Actions Required
- Upgrade text-generation-webui to version 4.1.1 or later immediately
- Audit existing Python files in the application directory for unauthorized modifications
- Restrict network access to text-generation-webui instances to trusted networks only
- Review user accounts with elevated privileges and revoke unnecessary access
Patch Information
The vulnerability is fixed in text-generation-webui version 4.1.1. Organizations should update to this version or later as soon as possible. The patch implements proper path validation and restricts the file extensions that can be saved through the extension settings functionality.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the text-generation-webui interface to trusted administrators only until patching is complete
- Implement network segmentation to isolate LLM hosting infrastructure from critical systems
- Deploy file integrity monitoring on the application directory with immediate alerting
- Consider disabling extension settings functionality if not required for operations
# Configuration example
# Restrict network access to text-generation-webui (example using iptables)
iptables -A INPUT -p tcp --dport 7860 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP
# Enable file integrity monitoring on application directory
# Example using auditd to monitor Python file modifications
auditctl -w /path/to/text-generation-webui/ -p wa -k webui_integrity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
