CVE-2026-28414

Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

How to fix CVE-2026-28414

To remediate CVE-2026-28414, upgrade the affected package to a fixed version below.

• —upgrade to 6.7.0 or later
• —upgrade to 6.7.0 or later

Is CVE-2026-28414 being exploited?

Low — EPSS is 4.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 6.7.0
• from 0, < 6.7.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28414
• PATCHgithub.com/gradio-app/gradio
• WEBgithub.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04
• WEBgithub.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49