What is the CVSS score of CVE-2026-28414?

CVE-2026-28414 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Windows are affected by CVE-2026-28414?

Gradio versions up to 6.7 contain a critical arbitrary file read vulnerability that could allow attackers to access sensitive organizational data including credentials, source code, and confidential…. A patch is available.

Is there a public PoC exploit available for CVE-2026-28414?

Yes, a public proof-of-concept exploit is available for CVE-2026-28414. Prioritise patching immediately. EPSS: 0.1%.

Windows CVE-2026-28414

HIGH

Absolute Path Traversal (CWE-36)

2026-02-27 security-advisories@github.com

GHSA-39mp-8hj3-5c49

Windows Python Path Traversal AI / ML Gradio

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 13:09 vuln.today

Public exploit code

CVE Published

Feb 27, 2026 - 22:16 nvd

HIGH 7.5

DescriptionNVD

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

AnalysisAI

Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).

RemediationAI

Within 24 hours: Inventory all systems running Gradio versions up to 6.7 and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict Gradio application access, deploy WAF rules blocking suspicious file path requests, and disable Gradio's file serving features if not operationally required. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28414 vulnerability details – vuln.today

Back

Windows CVE-2026-28414

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code