CVE-2026-28414: Gradio security flaw enables

Q: Is CVE-2026-28414 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-28414, increasing the risk of exploitation.

Q: How to fix CVE-2026-28414?

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

Q: What systems are affected by CVE-2026-28414?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, MLOps evaluation pipelines, internal model demo portals, training pipelines, agent frameworks with Gradio UI.

Q: What is the CVSS score for CVE-2026-28414?

CVE-2026-28414 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 3.09%.

CISO Take

Gradio is ubiquitous in ML teams for model demos, internal tooling, and rapid prototyping — often exposed on internal networks or directly to the internet. Any Windows-based deployment running Python 3.13+ and Gradio < 6.7 allows unauthenticated attackers to read arbitrary files, including model weights, API keys, .env files, and training data. Patch immediately to 6.7 or restrict network access; assume compromise if this was internet-facing.

What is the risk?

Risk is HIGH due to zero-prerequisite exploitation: no authentication, no user interaction, low complexity, and network-accessible. The Python 3.13 behavioral change in os.path.isabs creates a silent regression in path validation logic that bypasses even Gradio's own authentication layer. Exposure is significant because Gradio is the de facto standard for ML model UIs and is frequently deployed without hardening. Windows-based MLOps environments and data science workstations are particularly at risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	< 6.7.0	`6.7.0`
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

3.1%

chance of exploitation in 30 days

Higher than 86% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

✓ VulnCheck KEV (exploitation reported — broader/earlier than CISA) — May 2026

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

1 step

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework API Model AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0048.004 - AI Intellectual Property Theft AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system security A.8.2 - AI system vulnerability management A.9.1 - AI System Security

NIST AI RMF

GOVERN 1.7 - Processes for decommissioning AI systems MANAGE 2.2 - Mechanisms to sustain and monitor AI risk treatments

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-28414?

Gradio is ubiquitous in ML teams for model demos, internal tooling, and rapid prototyping — often exposed on internal networks or directly to the internet. Any Windows-based deployment running Python 3.13+ and Gradio < 6.7 allows unauthenticated attackers to read arbitrary files, including model weights, API keys, .env files, and training data. Patch immediately to 6.7 or restrict network access; assume compromise if this was internet-facing.

Is CVE-2026-28414 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-28414, increasing the risk of exploitation.

How to fix CVE-2026-28414?

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

What systems are affected by CVE-2026-28414?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, MLOps evaluation pipelines, internal model demo portals, training pipelines, agent frameworks with Gradio UI.

What is the CVSS score for CVE-2026-28414?

CVE-2026-28414 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 3.09%.

What is the AI security impact?

Affected AI Architectures

model servingML development environmentsMLOps evaluation pipelinesinternal model demo portalstraining pipelinesagent frameworks with Gradio UI

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0007 Discover AI Artifacts

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0048.004 AI Intellectual Property Theft

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9, Article 15, Article 9

ISO 42001: A.6.2.6, A.8.2, A.9.1

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM03, LLM05:2025, LLM06, LLM06:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

Exploitation Scenario

An adversary identifies a company's internal ML demo portal running Gradio on a Windows server (common in enterprise ML teams). Using a simple HTTP GET request with a crafted path like /file=/windows/win.ini or /file=/../../../users/mluser/.env, the attacker bypasses Gradio's path validation because Python 3.13's os.path.isabs no longer flags root-relative paths as absolute on Windows. The attacker systematically reads .env files (harvesting Hugging Face tokens, OpenAI API keys, AWS credentials), model configuration files, and proprietary fine-tuning datasets — all without any credentials. With harvested cloud credentials, the attacker pivots to S3 buckets containing full training datasets and model artifacts.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-36 Absolute Path Traversal Primary CWE-36 Absolute Path Traversal Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.