CVE-2026-35486 Overview
CVE-2026-35486 is a Server-Side Request Forgery (SSRF) vulnerability discovered in text-generation-webui, a popular open-source web interface for running Large Language Models. Prior to version 4.3, the superbooga and superboogav2 RAG (Retrieval-Augmented Generation) extensions fetch user-supplied URLs via requests.get() with zero validation — no scheme check, no IP filtering, and no hostname allowlist. An attacker can exploit this vulnerability to access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is subsequently exfiltrated through the RAG pipeline.
Critical Impact
Attackers can leverage this SSRF vulnerability to access internal cloud infrastructure, steal sensitive IAM credentials from metadata endpoints (such as AWS 169.254.169.254), and conduct reconnaissance on internal network services.
Affected Products
- oobabooga text_generation_web_ui versions prior to 4.3
- superbooga RAG extension (all versions prior to 4.3)
- superboogav2 RAG extension (all versions prior to 4.3)
Discovery Timeline
- 2026-04-07 - CVE-2026-35486 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35486
Vulnerability Analysis
This vulnerability is classified as CWE-918: Server-Side Request Forgery (SSRF). The fundamental issue lies in the RAG extensions' URL fetching functionality, which accepts user-controlled input and directly passes it to the requests.get() function without implementing any security controls.
The lack of input validation creates a direct path for attackers to manipulate the server into making requests on their behalf. Since the request originates from the server itself, it bypasses traditional perimeter security controls and can access resources that would otherwise be inaccessible from external networks.
In cloud environments, this vulnerability is particularly dangerous because attackers can target instance metadata endpoints. Cloud providers such as AWS, GCP, and Azure expose sensitive information through well-known IP addresses (e.g., 169.254.169.254), including temporary security credentials that can be used to pivot to other cloud resources.
Root Cause
The root cause of CVE-2026-35486 is the complete absence of URL validation in the superbooga and superboogav2 extensions. The code accepts user-supplied URLs and fetches them without implementing:
- Scheme validation: No check to ensure only http:// or https:// schemes are used
- IP address filtering: No blocklist for internal/private IP ranges or cloud metadata endpoints
- Hostname allowlisting: No restriction on which domains can be accessed
- DNS rebinding protection: No safeguards against DNS-based SSRF bypass techniques
This design oversight allows arbitrary URL fetching, transforming the RAG feature into an open proxy for accessing internal resources.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by supplying a malicious URL to the RAG extension through the web interface. The vulnerability can be exploited in several ways:
- Cloud Metadata Access: Targeting cloud provider metadata endpoints to retrieve IAM credentials, instance information, and other sensitive configuration data
- Internal Service Scanning: Probing internal network services to discover running applications, open ports, and service versions
- Internal API Access: Reaching internal APIs that are not exposed to the internet but accessible from the server's network context
- Data Exfiltration: The fetched content is processed through the RAG pipeline, allowing attackers to receive the results of their SSRF requests through the LLM's responses
The vulnerability mechanism involves the requests.get() function being called with untrusted URL input. When a user provides a URL like http://169.254.169.254/latest/meta-data/iam/security-credentials/, the server directly fetches this internal resource and processes the response through the RAG pipeline, effectively leaking sensitive information. For complete technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35486
Indicators of Compromise
- Outbound HTTP requests from the text-generation-webui server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Requests targeting cloud metadata endpoints (169.254.169.254, metadata.google.internal, 169.254.169.254:80)
- Unusual patterns in RAG extension logs showing requests to non-public URLs
- Unexpected IAM credential usage or role assumption events in cloud audit logs
Detection Strategies
- Monitor network traffic from the text-generation-webui server for connections to private IP ranges and cloud metadata endpoints
- Implement logging for all URL fetch operations in the RAG extensions and alert on suspicious patterns
- Review web application firewall logs for requests containing internal IP addresses or metadata endpoint URLs
- Deploy network segmentation rules and monitor for violations originating from the application server
Monitoring Recommendations
- Enable detailed access logging for the text-generation-webui application
- Configure cloud provider security monitoring (AWS CloudTrail, GCP Cloud Audit Logs, Azure Activity Log) to detect anomalous metadata endpoint access
- Implement network-level monitoring to detect and alert on SSRF-like traffic patterns
- Set up alerts for any IAM credential usage from unexpected sources following potential credential theft
How to Mitigate CVE-2026-35486
Immediate Actions Required
- Upgrade text-generation-webui to version 4.3 or later immediately
- If immediate upgrade is not possible, disable the superbooga and superboogav2 RAG extensions until patched
- Review cloud IAM roles and implement least-privilege principles to minimize the impact of potential credential theft
- Audit network configurations to restrict outbound connections from the application server
Patch Information
The vulnerability is fixed in text-generation-webui version 4.3. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Disable the superbooga and superboogav2 extensions if the RAG functionality is not required
- Implement network-level controls to block outbound connections from the application server to cloud metadata endpoints and internal IP ranges
- Deploy a web application firewall (WAF) configured to detect and block SSRF attempts
- Use instance metadata service version 2 (IMDSv2) in AWS environments, which requires session-oriented authentication and mitigates many SSRF attacks against metadata endpoints
# AWS: Block metadata endpoint access using iptables (temporary mitigation)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# AWS: Enforce IMDSv2 for EC2 instances
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
