Path Traversal Vulnerability in Gradio Software by Gradio
CVE-2026-49119

8.7HIGH

Key Information:

Vendor

Gradio-app

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-49119?

A path traversal vulnerability exists in Gradio's FileExplorer component's preprocess() method, allowing unauthenticated attackers to bypass the configured root directory. By supplying crafted path segments containing directory traversal sequences or absolute paths, attackers can manipulate the os.path.join function to discard the root_dir prefix. This flaw can result in unauthorized access to sensitive files, posing a significant risk to data integrity and privacy.

Affected Version(s)

gradio 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.