Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get() with zero validation - no scheme check, no IP filtering, no hostname allowlist. An attacker can access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content is exfiltrated through the RAG pipeline. This vulnerability is fixed in 4.3.
AnalysisAI
Server-Side Request Forgery (SSRF) in oobabooga text-generation-webui versions prior to 4.3 allows unauthenticated remote attackers to access cloud metadata endpoints, exfiltrate IAM credentials, and probe internal network services via malicious URLs processed by the superbooga/superboogav2 RAG extensions. The vulnerability stems from unvalidated requests.get() calls with no scheme, IP, or hostname filtering. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided, but the attack vector is network-accessible without authentication (AV:N/PR:N), making this a significant risk for publicly exposed instances in cloud environments.
Technical ContextAI
The vulnerability affects oobabooga text-generation-webui (CPE: cpe:2.3:a:oobabooga:text-generation-webui), a web interface for running Large Language Models with Retrieval-Augmented Generation (RAG) capabilities. The flaw is classified as CWE-918 (Server-Side Request Forgery), occurring in the superbooga and superboogav2 extensions. These extensions implement RAG functionality by fetching external content via Python's requests.get() without input validation. The lack of URL scheme validation, IP address filtering, or hostname allowlisting enables attackers to specify internal URLs (e.g., http://169.254.169.254/latest/meta-data/ for AWS metadata, http://metadata.google.internal/ for GCP) or RFC1918 private network addresses. The fetched content is then processed through the RAG pipeline, creating an exfiltration channel where internal data becomes embedded in model responses or logs. This is particularly critical in cloud deployments where metadata endpoints expose temporary IAM credentials, API tokens, and instance configuration data.
RemediationAI
Immediately upgrade to text-generation-webui version 4.3 or later, which includes input validation fixes for the affected RAG extensions. The vendor-released patch is available through the project's GitHub repository at https://github.com/oobabooga/text-generation-webui with security details documented in advisory GHSA-jvrj-w5hq-6cp2. For organizations unable to upgrade immediately, implement compensating controls: disable the superbooga and superboogav2 extensions entirely, deploy network-layer controls to block outbound requests to RFC1918 private addresses and cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.), and implement web application firewall rules to filter suspicious URL patterns in RAG extension inputs. In cloud environments, apply Instance Metadata Service v2 (IMDSv2) on AWS to require session tokens for metadata access, use workload identity federation where possible to limit credential exposure, and ensure IAM roles attached to compute instances follow least-privilege principles to minimize blast radius if credentials are exfiltrated.
More in Text Generation Webui
View allRemote unauthenticated file disclosure in oobabooga text-generation-webui versions prior to 4.3 allows arbitrary file re
Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary .
Unauthenticated path traversal in text-generation-webui prior to version 4.3 allows remote attackers to read arbitrary Y
Unauthenticated path traversal in text-generation-webui prior to version 4.3 enables remote attackers to read arbitrary
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19671