CVE-2026-28414
HIGH
GHSA-39mp-8hj3-5c49
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
Analysis
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Gradio versions up to 6.7 and assess exposure to untrusted networks. Within 7 days: Implement network segmentation to restrict Gradio application access, deploy WAF rules blocking suspicious file path requests, and disable Gradio's file serving features if not operationally required. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today