This vulnerability allows an attacker to supply arbitrary URLs to the superbooga and superboogav2 RAG extensions, which are fetched by requests.get without any validation. The lack of scheme checks, IP filtering, or hostname allowlisting can lead to Remote Server Side Request Forgery, enabling attackers to reach internal network resources, cloud metadata endpoints, or other servers behind firewalls. Successful exploitation can expose IAM credentials, and the gathered content is exfiltrated via the RAG pipeline, causing a breach of confidentiality and potentially allowing further lateral movement.

The vulnerability affects the open‑source web interface text‑generation‑webui by oobabooga, specifically the superbooga and superboogav2 RAG extensions. Versions prior to 4.3 are impacted; the issue was fixed in version 4.3 and later releases.

The CVSS base score of 7.5 indicates a high severity. Although EPSS data is unavailable, the exploitation scenario requires only that an attacker be able to measure the web interface and provide a crafted URL; no additional privileges are needed. The vulnerability is not listed in CISA’s KEV catalog, but the potential to reach cloud metadata services and internal hosts makes it a serious threat. Attackers can leverage the SSRF to exfiltrate data or gain privileged system access, posing significant confidentiality, integrity, and availability risks.