text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-…

CVE-2026-35486 affects text-generation-webui, an open-source web interface for Large Language Models. Prior to version 4.3, the superbooga and superboogav2 RAG extensions performed unvalidated URL fetching via requests.get() without scheme checks, IP filtering, or hostname allowlists. Attackers can exploit this Server-Side Request Forgery (SSRF) vulnerability to access cloud metadata endpoints, steal IAM credentials, and probe internal services. The fetched content can be exfiltrated through the RAG pipeline. This vulnerability has been patched in version 4.3.