Absolute Path Traversal Vulnerability in Gradio by Gradio App
CVE-2026-28414

7.5HIGH

Key Information:

Vendor

Gradio-app

Status
Gradio
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28414?

CVE-2026-28414 is a significant vulnerability in Gradio, an open-source Python package that facilitates rapid prototyping of user interfaces for machine learning models and applications. This specific vulnerability arises from an absolute path traversal issue present in versions prior to 6.7, specifically affecting installations on Windows with Python 3.13 and above. The flaw is rooted in the altered behavior of the os.path.isabs function in Python 3.13+, which now inaccurately treats root-relative paths as non-absolute. Consequently, this leads to a scenario where unauthenticated attackers can exploit Gradio's file-handling logic to read arbitrary files from the server’s file system, regardless of authentication settings. Such a capability could expose sensitive information, configuration files, or other critical data to malicious actors, thereby significantly compromising the security posture of an organization utilizing Gradio.

Potential impact of CVE-2026-28414

  1. Unauthorized Data Access: The vulnerability allows attackers to access files on the server without any authentication. This could lead to the exposure of sensitive data, configuration files, or critical information stored on the server, creating a substantial risk of data breaches.

  2. Compromise of Application Integrity: By leveraging this vulnerability, attackers could obtain files that may include application secrets or credentials, potentially enabling further attacks on the system or the underlying infrastructure. Such compromises can lead to escalated privileges and unauthorized manipulation of other components within the application ecosystem.

  3. Threat to Overall System Security: The ability for attackers to read arbitrary files poses a broader threat to the integrity and confidentiality of the system. If sensitive files containing private keys or sensitive application data are accessed, it could lead to a complete compromise of the application and its data, risking not just the immediate system but also connected services and networks.

Affected Version(s)

gradio < 6.7

References

https://github.com/gradio-app/gradio/security/advisories/...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.