CVE-2026-35485 Overview
CVE-2026-35485 is a path traversal vulnerability in text-generation-webui, an open-source web interface for running Large Language Models. Prior to version 4.3, an unauthenticated path traversal vulnerability in the load_grammar() function allows attackers to read any file on the server filesystem with no extension restriction. Because Gradio does not perform server-side validation of dropdown values, an attacker can POST directory traversal payloads (e.g., ../../../etc/passwd) via the API and receive the full file contents in the response.
Critical Impact
Unauthenticated attackers can read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, private keys, and other confidential data without any user interaction.
Affected Products
- text-generation-webui versions prior to 4.3
- Deployments using Gradio-based API endpoints without additional input validation
- Self-hosted LLM web interfaces accessible over the network
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35485 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35485
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the load_grammar() function of text-generation-webui. The core issue stems from insufficient input validation when processing file path parameters received through the Gradio-based web interface. Gradio, the framework used to build the web UI, does not enforce server-side validation of dropdown values, creating an opportunity for attackers to manipulate file path inputs.
When a user selects a grammar file through the web interface, the application expects a filename from a predefined list. However, the API endpoint accepts arbitrary values without proper sanitization. An attacker can bypass the intended file selection mechanism by directly sending POST requests to the API with crafted directory traversal sequences.
The vulnerability allows reading files with any extension, making it particularly dangerous as attackers can access sensitive system files, application configuration files containing database credentials, API keys, or SSH private keys stored on the server.
Root Cause
The root cause of this vulnerability is the lack of server-side validation in the load_grammar() function when handling user-supplied file paths. The application trusts the input received from the Gradio frontend dropdown without verifying that the requested file resides within the expected grammar directory. This allows directory traversal sequences like ../ to escape the intended directory and access arbitrary files on the filesystem.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the Gradio API endpoint. The malicious payload contains directory traversal sequences that navigate out of the grammar directory and into other parts of the filesystem. The server processes the request and returns the contents of the specified file in the API response.
For example, an attacker could submit a payload such as ../../../etc/passwd through the grammar file parameter, and the server would read and return the contents of the system password file. This attack pattern can be extended to read any file accessible by the web server process, including application configuration files, environment variables, and sensitive credentials.
Detection Methods for CVE-2026-35485
Indicators of Compromise
- HTTP POST requests to Gradio API endpoints containing path traversal sequences such as ../, ..%2f, or ..%5c
- Unusual file access patterns in web server logs targeting the grammar loading functionality
- Requests attempting to access sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
- Repeated API calls from single IP addresses probing for file system structure
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor API endpoints for unusual parameter values containing directory traversal sequences
- Deploy intrusion detection systems (IDS) with signatures for common path traversal attack patterns
- Enable detailed logging on the text-generation-webui application to capture all file access attempts
Monitoring Recommendations
- Review web server access logs for requests containing encoded or unencoded path traversal characters
- Set up alerts for failed file access attempts outside expected directories
- Monitor for reconnaissance activity targeting the Gradio API endpoints
- Implement file integrity monitoring on sensitive system files to detect unauthorized access
How to Mitigate CVE-2026-35485
Immediate Actions Required
- Upgrade text-generation-webui to version 4.3 or later immediately
- If immediate upgrade is not possible, restrict network access to the web interface using firewall rules
- Implement authentication on the web interface to prevent unauthenticated access
- Review server logs for evidence of exploitation attempts
Patch Information
This vulnerability is fixed in text-generation-webui version 4.3. The fix implements proper server-side validation of file paths to ensure that only files within the expected grammar directory can be loaded. Users should upgrade to the latest version by pulling the latest release from the official repository. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy with path filtering to block requests containing directory traversal sequences
- Implement network segmentation to limit access to the text-generation-webui interface to trusted networks only
- Add application-level input validation as a temporary measure until the patch can be applied
- Consider running the application in a containerized environment with limited filesystem access
# Example: Restrict access using iptables
# Only allow connections from trusted network (e.g., 192.168.1.0/24)
iptables -A INPUT -p tcp --dport 7860 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
