CVE-2026-28414
Published: 27 February 2026
Summary
CVE-2026-28414 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Gradio Project Gradio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Gradio, an open-source Python package for quick prototyping, contains an absolute path traversal vulnerability in versions prior to 6.7 when running on Windows under Python 3.13 and later. The root cause is a behavioral change in os.path.isabs that treats root-relative paths such as /windows/win.ini as non-absolute, defeating Gradio's path-joining safeguards and enabling unauthorized file reads from the underlying filesystem.
Unauthenticated remote attackers can exploit the flaw over the network to retrieve arbitrary files, including sensitive configuration or data files, even when Gradio authentication is enabled. The vulnerability carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact, and is tracked under CWE-22 and CWE-36.
The referenced Gradio security advisory GHSA-39mp-8hj3-5c49 states that the issue is resolved in version 6.7; practitioners should upgrade promptly and verify that deployed instances are no longer running the affected Python and Gradio combination on Windows.
The associated EPSS score has remained flat at 0.0421 with no material rise since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9082
Vulnerability details
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the…
more
file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gradio
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Gradio web app directly enables T1190 exploitation for unauthenticated remote file access and facilitates T1005 arbitrary local file reads on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the Gradio path-joining flaw by upgrading to version 6.7 directly eliminates the absolute path traversal vulnerability caused by Python 3.13+ changes.
Validating file path inputs against root-relative and traversal patterns prevents unauthenticated attackers from reading arbitrary files on the Windows file system.
Enforcing least privilege on the Gradio process limits access to sensitive files like win.ini, reducing the impact of successful path traversal exploits.