Gradio is ubiquitous in ML teams for model demos, internal tooling, and rapid prototyping — often exposed on internal networks or directly to the internet. Any Windows-based deployment running Python 3.13+ and Gradio < 6.7 allows unauthenticated attackers to read arbitrary files, including model weights, API keys, .env files, and training data. Patch immediately to 6.7 or restrict network access; assume compromise if this was internet-facing.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 6.7.0 | 6.7.0 |
| gradio | pip | — | No patch |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
- 1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
Exploitation Scenario
An adversary identifies a company's internal ML demo portal running Gradio on a Windows server (common in enterprise ML teams). Using a simple HTTP GET request with a crafted path like /file=/windows/win.ini or /file=/../../../users/mluser/.env, the attacker bypasses Gradio's path validation because Python 3.13's os.path.isabs no longer flags root-relative paths as absolute on Windows. The attacker systematically reads .env files (harvesting Hugging Face tokens, OpenAI API keys, AWS credentials), model configuration files, and proprietary fine-tuning datasets — all without any credentials. With harvested cloud credentials, the attacker pivots to S3 buckets containing full training datasets and model artifacts.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/advisories/GHSA-39mp-8hj3-5c49
- github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04
- github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49
- nvd.nist.gov/vuln/detail/CVE-2026-28414
- github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49 Exploit Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49 Exploit Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49 Exploit Vendor