CVE-2026-28414

HIGH EPSS 86.1%

Published Feb 27, 20264mo ago · Modified Mar 5, 20263mo ago

7.5 CVSS 3.1

High

Published Feb 27, 2026 4mo ago

Last Modified Mar 5, 2026 3mo ago

Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

86.1% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-36

Affected Products 1

Vendor	Product	Version	Range
gradio_project	gradio	*	<6.7.0

References 1

github.com https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.