216.73.216.204

CVE-2026-28414

· Published 27/02/2026 22:16 · Modified 27/02/2026 22:16

Labels: CVE-2026-28414 2026-02-27CVE-2026-28414CWE-36[email protected]

Essential information

Published
27/02/2026 22:16
Modified
27/02/2026 22:16
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
gradio / gradio cpe:2.3:a:gradio:gradio:<6.7:*:*:*:*:*:*:*
python / python cpe:2.3:a:python:python:3.13:*:*:*:*:*:*:*

References