CVE-2026-28414 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2026-28414 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-28414, increasing the risk of exploitation.

Q: How to fix CVE-2026-28414?

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

Q: What systems are affected by CVE-2026-28414?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, MLOps evaluation pipelines, internal model demo portals, training pipelines, agent frameworks with Gradio UI.

Q: What is the CVSS score for CVE-2026-28414?

CVE-2026-28414 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 3.20%.

CISO Take

Gradio is ubiquitous in ML teams for model demos, internal tooling, and rapid prototyping — often exposed on internal networks or directly to the internet. Any Windows-based deployment running Python 3.13+ and Gradio < 6.7 allows unauthenticated attackers to read arbitrary files, including model weights, API keys, .env files, and training data. Patch immediately to 6.7 or restrict network access; assume compromise if this was internet-facing.

Risk Assessment

Risk is HIGH due to zero-prerequisite exploitation: no authentication, no user interaction, low complexity, and network-accessible. The Python 3.13 behavioral change in os.path.isabs creates a silent regression in path validation logic that bypasses even Gradio's own authentication layer. Exposure is significant because Gradio is the de facto standard for ML model UIs and is frequently deployed without hardening. Windows-based MLOps environments and data science workstations are particularly at risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 6.7.0	`6.7.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

3.2%

chance of exploitation in 30 days

Higher than 87% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

1 step

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework API Model AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0048.004 - AI Intellectual Property Theft AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system security A.8.2 - AI system vulnerability management A.9.1 - AI System Security

NIST AI RMF

GOVERN 1.7 - Processes for decommissioning AI systems MANAGE 2.2 - Mechanisms to sustain and monitor AI risk treatments

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-28414?

Gradio is ubiquitous in ML teams for model demos, internal tooling, and rapid prototyping — often exposed on internal networks or directly to the internet. Any Windows-based deployment running Python 3.13+ and Gradio < 6.7 allows unauthenticated attackers to read arbitrary files, including model weights, API keys, .env files, and training data. Patch immediately to 6.7 or restrict network access; assume compromise if this was internet-facing.

Is CVE-2026-28414 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-28414, increasing the risk of exploitation.

How to fix CVE-2026-28414?

1) Patch immediately: upgrade Gradio to 6.7+. 2) Identify all Windows-based Gradio deployments via asset inventory (grep requirements.txt, pyproject.toml, conda envs for 'gradio'). 3) Restrict network access to Gradio instances — bind to localhost only unless external access is required. 4) Audit access logs for path traversal patterns: requests containing '../', absolute paths, or Windows-style paths (e.g., /windows/, /users/). 5) Rotate any credentials (API keys, tokens, DB passwords) that may have been accessible from the server filesystem. 6) If Python 3.13 is required but patching is delayed, downgrade to Python 3.12 as a temporary workaround. 7) Implement WAF rules blocking directory traversal sequences on Gradio endpoints.

What systems are affected by CVE-2026-28414?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, MLOps evaluation pipelines, internal model demo portals, training pipelines, agent frameworks with Gradio UI.

What is the CVSS score for CVE-2026-28414?

CVE-2026-28414 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 3.20%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

Exploitation Scenario

An adversary identifies a company's internal ML demo portal running Gradio on a Windows server (common in enterprise ML teams). Using a simple HTTP GET request with a crafted path like /file=/windows/win.ini or /file=/../../../users/mluser/.env, the attacker bypasses Gradio's path validation because Python 3.13's os.path.isabs no longer flags root-relative paths as absolute on Windows. The attacker systematically reads .env files (harvesting Hugging Face tokens, OpenAI API keys, AWS credentials), model configuration files, and proprietary fine-tuning datasets — all without any credentials. With harvested cloud credentials, the attacker pivots to S3 buckets containing full training datasets and model artifacts.