RAXE-2026-052 CRITICAL CVSS 9.1 v3.1 S3

text-generation-webui Path Traversal to RCE (CVE-2026-35050)

Supply Chain 2026-04-12 M. Hirani TLP:GREEN
CVE-2026-35050

Executive Summary

A critical path traversal vulnerability (CVE-2026-35050, CWE-22) in text-generation-webui versions 4.1 and earlier allows privileged users (CVSS PR:H) to overwrite arbitrary Python files in the application root directory via the extension settings save feature, leading to remote code execution on the back-end server (GHSA-jg96-p5p6-q3cv). Exploitation requires high-privilege access to the Web UI (CVSS PR:H); this is not a no-privilege attack vector (NVD). The CNA-submitted CVSS 3.1 base score is 9.1 (Critical); NVD has not completed its own analysis (NVD, vulnStatus: Undergoing Analysis). Two proof-of-concept exploitation methods are documented in the vendor advisory (GHSA-jg96-p5p6-q3cv). Organisations running affected versions should upgrade to 4.1.1 immediately (GHSA-jg96-p5p6-q3cv).

Risk Rating

Dimension Rating Detail
Severity Critical CNA-submitted CVSS 3.1: 9.1 (NVD)
Urgency High Patch available (4.1.1), documented PoC methods (GHSA-jg96-p5p6-q3cv)
Scope Moderate Requires high-privilege Web UI access (PR:H); privileged Web UI abuse, compromised privileged account, or exposed admin interface, not a no-privilege internet RCE (RAXE assessment)
Confidence High B2: Usually reliable source, probably true; two documented exploitation methods (GHSA-jg96-p5p6-q3cv)
Business Impact High Successful exploitation grants arbitrary code execution on the server, enabling data exfiltration and system compromise (GHSA-jg96-p5p6-q3cv)

Affected Products

Product Affected Versions Fixed Version Status
text-generation-webui (oobabooga) <= 4.1 4.1.1 Patch available (GHSA-jg96-p5p6-q3cv)

Am I Affected?

  • Check if you use text-generation-webui: Look for the text-generation-webui directory in your deployment, or check for the Gradio-based LLM web interface running on your network (RAXE assessment)
  • Check version: Review the application's version file or Git tag. Versions 4.1 and earlier are affected (GHSA-jg96-p5p6-q3cv)
  • Check deployment context: If the Web UI is accessible to multiple users with administrative privileges, or if it is exposed beyond localhost, the risk is elevated (RAXE assessment)

Abstract

CVE-2026-35050 is a path traversal vulnerability (CWE-22) in text-generation-webui, an open-source web interface for running large language models (NVD). The flaw resides in the extension settings save functionality, which permits users with high-privilege Web UI access to write files in Python ("py") format to the application root directory (NVD). By overwriting executable Python files such as download-model.py, an attacker can achieve remote code execution when the overwritten file is subsequently triggered through the Model menu's download function (NVD). The vulnerability was disclosed on 2026-04-06 and is fixed in version 4.1.1 (GHSA-jg96-p5p6-q3cv). The CNA-submitted CVSS 3.1 score of 9.1 reflects the Changed scope (S:C) and full confidentiality, integrity, and availability impact upon successful exploitation, tempered by the high-privilege prerequisite (NVD).

Key Findings

  1. Path traversal via extension settings: The "File Folder" field in Session > Save extensions settings can be manipulated to write Python files to arbitrary locations within the application root (GHSA-jg96-p5p6-q3cv)
  2. Client-side-only restriction bypassed: The "disabled" HTML attribute on the File Folder field is a frontend-only control with no server-side validation (GHSA-jg96-p5p6-q3cv)
  3. Two documented exploitation methods: UI manipulation (removing the disabled attribute) and proxy interception (modifying POST to /queue/join) (GHSA-jg96-p5p6-q3cv)
  4. Chained to RCE: Overwritten Python files (e.g., download-model.py) are executed when triggered through the Model menu download function (NVD)
  5. High-privilege prerequisite: CVSS PR:H, meaning exploitation requires existing privileged access to the Web UI (NVD); this encompasses privileged Web UI abuse, compromised privileged accounts, or exposed admin/session-settings interfaces, not a no-privilege internet RCE (RAXE assessment)
  6. Low predicted exploitation probability: FIRST.org EPSS rates the vulnerability at 0.00076 (22.9th percentile) (FIRST.org EPSS)

Attack Flow

Prerequisites:
  - High-privilege Web UI access (PR:H)
  - text-generation-webui <= 4.1

+--------------------------------------------+
| 1. Privileged user opens Session settings   |
+---------------------+----------------------+
                      |
                      v
+--------------------------------------------+
| 2. Bypass client-side File Folder lock      |
|    A: remove disabled attribute in browser  |
|    B: intercept /queue/join POST request    |
+---------------------+----------------------+
                      |
                      v
+--------------------------------------------+
| 3. Set file path to app-root Python file    |
|    Example target: download-model.py        |
+---------------------+----------------------+
                      |
                      v
+--------------------------------------------+
| 4. Save extension settings                  |
|    Server writes .py to attacker path       |
+---------------------+----------------------+
                      |
                      v
+--------------------------------------------+
| 5. Trigger normal app execution path        |
|    Model menu > Download model              |
+---------------------+----------------------+
                      |
                      v
+--------------------------------------------+
| 6. Attacker Python code runs on server      |
+--------------------------------------------+

Sources: NVD description for CVE-2026-35050; GHSA-jg96-p5p6-q3cv for exploitation methods and chain detail.

Technical Details

Vulnerability Mechanics

The extension settings save feature in text-generation-webui allows users to persist configuration in Python ("py") format (NVD). The "File Folder" field in Session settings is rendered with a "disabled" HTML attribute to prevent user modification in the browser (GHSA-jg96-p5p6-q3cv). However, this is a client-side restriction only; no corresponding server-side path validation exists to prevent writes outside the intended extensions directory (GHSA-jg96-p5p6-q3cv).

By removing the disabled attribute via browser developer tools, or by intercepting and modifying the POST request to /queue/join using a proxy tool such as Burp Suite, a privileged user can specify an arbitrary file path within the application root (GHSA-jg96-p5p6-q3cv). The server writes the settings content as a Python file to the attacker-specified location, overwriting any existing file at that path (NVD).

Exploitation Chain

The path traversal alone constitutes a file overwrite primitive. To achieve remote code execution, the attacker overwrites a Python file that is executed by the application during normal operations (NVD). The advisory specifically identifies download-model.py as a viable target: this file is executed when a user requests a model download from the "Model" menu (NVD). Upon triggering this action, the attacker's payload runs with the privileges of the text-generation-webui process on the server (GHSA-jg96-p5p6-q3cv).

CVSS and Severity

Scoring System Score Severity Vector Source
CVSS 3.1 9.1 Critical AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CNA-submitted (NVD)

NVD status: The NVD entry for CVE-2026-35050 is currently "Undergoing Analysis" (NVD). The CVSS 3.1 score of 9.1 is CNA-submitted via the GitHub Security Advisory programme; it has not been independently evaluated or confirmed by NVD analysts. The final score determined by NVD may differ.

Privilege requirement context: Despite the Critical severity rating, the CVSS vector specifies PR:H (high privileges required) (NVD). Exploitation is limited to users with existing privileged access to the Web UI. The elevated base score is driven by S:C (Scope: Changed), indicating impact extends beyond the vulnerable component to the underlying server, combined with full C:H/I:H/A:H impact metrics (NVD).

CWE Classification

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") (NVD). The vulnerability arises from absent server-side validation of user-supplied file paths in the extension settings save functionality.

Exploit Prediction

FIRST.org EPSS rates CVE-2026-35050 at a probability score of 0.00076 with a percentile ranking of 22.9% (FIRST.org EPSS). This indicates low predicted exploitation probability relative to the broader CVE population. The high-privilege prerequisite likely contributes to the low EPSS score (RAXE assessment).

Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor Advisory Published GHSA-jg96-p5p6-q3cv (2026-04-06) (GHSA-jg96-p5p6-q3cv)
CVE Assigned Yes CVE-2026-35050 (NVD)
PoC Available Yes (conceptual) Two exploitation methods documented in GHSA advisory (GHSA-jg96-p5p6-q3cv)
Patch Available Yes Version 4.1.1 (GHSA-jg96-p5p6-q3cv)
Exploited in Wild No evidence No known in-the-wild exploitation; EPSS 0.00076 (FIRST.org EPSS)

Source grading: Admiralty B2: Usually reliable source (NVD and GitHub Security Advisories), probably true information (documented exploitation methods in the advisory, not independently reproduced by RAXE Labs).

Limitations: - NVD analysis is incomplete ("Undergoing Analysis"); CVSS may be revised (NVD) - RAXE Labs has not independently reproduced exploitation; assessment is based on the advisory-documented methods (RAXE assessment) - No credit attribution is provided in the advisory; the reporter's identity is unknown (GHSA-jg96-p5p6-q3cv) - The GHSA API returned a 404 at the time of retrieval; advisory data is sourced from the NVD CVE record and the publicly accessible GHSA web page

Detection Signatures

Two Sigma rules are provided below for detecting exploitation attempts and post-exploitation artefacts associated with CVE-2026-35050. These are RAXE Labs hunting rules; they have not been tested in production environments.

Rule 1: text-generation-webui Extension Settings Path Traversal (Delivery Telemetry)

Classification: Delivery telemetry (RAXE hunting rule) Severity Tier: Medium

Detects HTTP POST requests to the /queue/join endpoint containing path traversal sequences or references to Python files outside the extensions directory, consistent with CVE-2026-35050 exploitation (GHSA-jg96-p5p6-q3cv).

title: text-generation-webui Extension Settings Path Traversal Attempt
id: raxe-2026-052-sigma-001
status: experimental
description: >
  Detects POST requests to the text-generation-webui /queue/join endpoint
  containing path traversal indicators or references to Python files in the
  application root. CVE-2026-35050 allows overwriting arbitrary Python files
  via the extension settings save feature (GHSA-jg96-p5p6-q3cv).
  Requires high-privilege Web UI access (PR:H) (NVD).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-35050
  - https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv
author: RAXE Labs
date: 2026/04/12
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.35050
logsource:
  category: webserver
  product: generic
detection:
  selection_endpoint:
    cs-uri-stem|contains: '/queue/join'
    cs-method: 'POST'
  selection_traversal:
    cs-body|contains:
      - '../'
      - '..\\'
      - 'download-model.py'
      - '.py'
  condition: selection_endpoint and selection_traversal
level: medium
falsepositives:
  - Legitimate extension settings save operations that reference .py files
  - Web application scanners testing for path traversal

Rule 2: Python File Modification in text-generation-webui Root (Post-Exploitation Hunting)

Classification: Post-exploitation hunting (RAXE hunting rule) Severity Tier: High

Detects modification of Python files in the text-generation-webui application root directory, which may indicate file overwrite via CVE-2026-35050 (GHSA-jg96-p5p6-q3cv). Requires file integrity monitoring (Sysmon, auditd, or OSSEC).

title: text-generation-webui Root Python File Overwrite
id: raxe-2026-052-sigma-002
status: experimental
description: >
  Detects writes to Python files in the text-generation-webui application
  root directory by the web application process. CVE-2026-35050 enables
  overwriting Python files (e.g., download-model.py) through the extension
  settings save feature, which can then be triggered for execution
  (GHSA-jg96-p5p6-q3cv). Requires file integrity monitoring (Sysmon,
  auditd, or OSSEC).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-35050
  - https://github.com/oobabooga/text-generation-webui/security/advisories/GHSA-jg96-p5p6-q3cv
author: RAXE Labs
date: 2026/04/12
tags:
  - attack.persistence
  - attack.t1505.003
  - cve.2026.35050
logsource:
  category: file_change
  product: linux
detection:
  selection:
    TargetFilename|endswith: '.py'
    TargetFilename|contains: 'text-generation-webui'
  filter_extensions:
    TargetFilename|contains: '/extensions/'
  condition: selection and not filter_extensions
level: high
falsepositives:
  - Legitimate application updates or plugin installations
  - Development/debugging activities modifying source files

Detection & Mitigation

Immediate Actions

  1. Patch: Upgrade text-generation-webui to version 4.1.1 or later (GHSA-jg96-p5p6-q3cv)
  2. Access review: Audit all accounts with access to the Web UI; remove unnecessary privileged access (RAXE assessment)
  3. Network restriction: If the Web UI is exposed beyond localhost, implement network-level access controls to restrict access to trusted IP ranges (RAXE assessment)

Detection Guidance

  • Web server logs: Monitor POST requests to /queue/join for path traversal sequences (../, ..\) or references to Python files in the application root (RAXE assessment). Note: many default web server configurations do not log request bodies; ensure body logging is enabled for this endpoint (RAXE assessment)
  • File integrity monitoring: Deploy FIM (e.g., OSSEC, Sysmon, auditd) on the text-generation-webui application root to detect unexpected modifications to .py files (RAXE assessment). This is the most reliable detection method for post-exploitation artefacts
  • Process monitoring: Alert on the text-generation-webui process spawning unexpected child processes, which may indicate execution of overwritten Python files (RAXE assessment)

Medium-Term Hardening

  • Least privilege: Run text-generation-webui with minimal filesystem permissions; restrict write access to the application root directory (RAXE assessment)
  • Extension audit: Review other extension settings save paths for similar path traversal vectors in the codebase (RAXE assessment)
  • Authentication hardening: Implement multi-factor authentication for Web UI access where supported, or use a reverse proxy with additional authentication layers (RAXE assessment)

Indicators of Compromise

Type Indicator Context
HTTP Request POST to /queue/join with ../ in body Delivery: path traversal attempt via proxy interception method (GHSA-jg96-p5p6-q3cv)
File Modification Unexpected write to download-model.py in app root Post-exploitation: file overwrite artefact (NVD)
File Modification Any .py file in app root modified by web process Post-exploitation: generalised overwrite detection (RAXE assessment)
Process Execution Unusual child process spawned by text-generation-webui Post-exploitation: execution of overwritten Python file (RAXE assessment)

Note: IOCs labelled "(RAXE assessment)" are analyst-derived hunting indicators, not confirmed in-the-wild artefacts.

Strategic Context

AI tooling supply chain risk. text-generation-webui is an open-source web interface for running large language models (NVD). Vulnerabilities in LLM deployment tooling represent a growing category within the AI supply chain threat landscape (RAXE assessment). The path traversal to RCE chain in this case demonstrates how traditional web application vulnerability classes (CWE-22) manifest in AI-specific infrastructure where Python files serve as executable components (RAXE assessment).

Privilege-gated severity. The PR:H requirement narrows the realistic attack surface to privileged Web UI abuse, compromised privileged accounts, or environments where the admin interface is exposed to untrusted users (RAXE assessment). Organisations deploying text-generation-webui in multi-user environments (common in research teams, internal AI experimentation platforms, and shared inference services) face the highest exposure (RAXE assessment). The CNA-submitted Critical severity accurately reflects the post-exploitation impact (full server compromise) but may overstate the practical risk for single-user localhost deployments (RAXE assessment).

Client-side security theatre. The reliance on a "disabled" HTML attribute as the sole access control for the File Folder field underscores a recurring pattern in web application security: client-side restrictions without server-side enforcement (RAXE assessment). This pattern warrants attention in security reviews of AI web interfaces more broadly, where rapid development cycles may prioritise functionality over defence in depth (RAXE assessment).

Disclosure timeline. CVE-2026-35050 was published on 2026-04-06 with a patch (4.1.1) available concurrently (NVD, GHSA-jg96-p5p6-q3cv). The coordinated disclosure with fix availability is a positive indicator of the project's security maturity (RAXE assessment).

References

  1. CVE-2026-35050: NVD entry (CNA-submitted, vulnStatus: Undergoing Analysis)
  2. GHSA-jg96-p5p6-q3cv: GitHub Security Advisory, vendor advisory, fix in 4.1.1
  3. FIRST.org EPSS: CVE-2026-35050: EPSS score 0.00076, 22.9th percentile