F5-TTS: path traversal enables arbitrary file write — HIGH (CVE-2026-43624)

CISO Take

F5-TTS through v1.1.20 contains an unauthenticated path traversal in its Gradio-based fine-tuning interface, allowing any network-reachable attacker to write attacker-controlled JSON content to arbitrary filesystem paths by supplying absolute path strings as project names to an unsanitized os.path.join() call. With a CVSS of 8.2, zero authentication required, zero user interaction, low attack complexity, and full network accessibility, this is trivially exploitable against any exposed instance — a particularly serious condition on AI training servers, which routinely operate with broad filesystem permissions over model checkpoints, training datasets, and configuration directories. While no public exploit or CISA KEV listing currently exists, the vulnerability class is well-understood and requires no ML knowledge to weaponize: a single crafted HTTP request is sufficient. Organizations running F5-TTS fine-tuning interfaces should upgrade to the patched version (commit 2f53ded) or immediately restrict network access to the Gradio finetune handlers behind authentication and VPN.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH. The attack surface is maximally favorable to an attacker — no credentials, no interaction, low complexity, over the network. AI fine-tuning servers are high-value targets: they typically hold write access to model weight directories, training pipelines, and configuration stores. An unauthenticated arbitrary file write on such a host can escalate to persistent access (cron injection, startup script overwrite), training data poisoning, or backdoored model deployment, converting a single file-write primitive into full pipeline compromise. The absence of a current public exploit or KEV entry reduces immediate threat pressure but the simplicity of the attack class means weaponization time is near-zero once the vulnerability is public.

Attack Kill Chain

Initial Access

Attacker discovers a network-exposed F5-TTS Gradio finetune interface (v1.1.20 or earlier) requiring no authentication, reachable over the internet or internal network.

AML.T0049

Path Traversal

Attacker supplies an absolute filesystem path (e.g., '/etc/cron.d/backdoor') as the project name in a finetune handler request, bypassing the intended base directory boundary via os.path.join() without validation.

Arbitrary File Write

Server writes attacker-controlled JSON content to the arbitrary target path writable by the server process, enabling cron job injection, startup script modification, or poisoned training configuration placement.

AML.T0020

Pipeline Compromise

Planted files execute for persistent access, corrupt fine-tuning configurations to produce backdoored speech synthesis models, or enable lateral movement across the AI training infrastructure.

AML.T0010.001

Initial Access

Attacker discovers a network-exposed F5-TTS Gradio finetune interface (v1.1.20 or earlier) requiring no authentication, reachable over the internet or internal network.

AML.T0049

Path Traversal

Attacker supplies an absolute filesystem path (e.g., '/etc/cron.d/backdoor') as the project name in a finetune handler request, bypassing the intended base directory boundary via os.path.join() without validation.

Arbitrary File Write

Server writes attacker-controlled JSON content to the arbitrary target path writable by the server process, enabling cron job injection, startup script modification, or poisoned training configuration placement.

AML.T0020

Pipeline Compromise

Planted files execute for persistent access, corrupt fine-tuning configurations to produce backdoored speech synthesis models, or enable lateral movement across the AI training infrastructure.

AML.T0010.001

Severity & Risk

CVSS 3.1

8.2 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I High

A Low

What should I do?

1 step

1) Upgrade F5-TTS to the patched version incorporating commit 2f53ded68e5f69e248ceb200a51ef4d1dc647936 — this introduces path validation ensuring resolved paths remain within the intended base directory. 2) If immediate upgrade is not possible, restrict network access to the Gradio finetune interface — place behind VPN, firewall rule, or require authentication via reverse proxy. 3) Run the F5-TTS server process under a least-privilege OS account with write permissions scoped only to required project directories. 4) Audit the server filesystem for unexpected directories or JSON files outside the configured F5-TTS project base path, particularly in /tmp, /etc/cron.d, /etc/cron.hourly, and user home directories. 5) Apply WAF or ingress rules blocking requests with absolute path patterns (/tmp/, /etc/, /root/, ../ sequences) in project name parameters. 6) Review any downstream models produced during the exposure window for unexpected behavioral changes.

Classification

Code Execution Supply Chain Training Data Framework AML.T0010.001 - AI Software AML.T0020 - Poison Training Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms exist for AI risk evaluation and response

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-43624?

F5-TTS through v1.1.20 contains an unauthenticated path traversal in its Gradio-based fine-tuning interface, allowing any network-reachable attacker to write attacker-controlled JSON content to arbitrary filesystem paths by supplying absolute path strings as project names to an unsanitized os.path.join() call. With a CVSS of 8.2, zero authentication required, zero user interaction, low attack complexity, and full network accessibility, this is trivially exploitable against any exposed instance — a particularly serious condition on AI training servers, which routinely operate with broad filesystem permissions over model checkpoints, training datasets, and configuration directories. While no public exploit or CISA KEV listing currently exists, the vulnerability class is well-understood and requires no ML knowledge to weaponize: a single crafted HTTP request is sufficient. Organizations running F5-TTS fine-tuning interfaces should upgrade to the patched version (commit 2f53ded) or immediately restrict network access to the Gradio finetune handlers behind authentication and VPN.

Is CVE-2026-43624 actively exploited?

No confirmed active exploitation of CVE-2026-43624 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-43624?

1) Upgrade F5-TTS to the patched version incorporating commit 2f53ded68e5f69e248ceb200a51ef4d1dc647936 — this introduces path validation ensuring resolved paths remain within the intended base directory. 2) If immediate upgrade is not possible, restrict network access to the Gradio finetune interface — place behind VPN, firewall rule, or require authentication via reverse proxy. 3) Run the F5-TTS server process under a least-privilege OS account with write permissions scoped only to required project directories. 4) Audit the server filesystem for unexpected directories or JSON files outside the configured F5-TTS project base path, particularly in /tmp, /etc/cron.d, /etc/cron.hourly, and user home directories. 5) Apply WAF or ingress rules blocking requests with absolute path patterns (/tmp/, /etc/, /root/, ../ sequences) in project name parameters. 6) Review any downstream models produced during the exposure window for unexpected behavioral changes.

What systems are affected by CVE-2026-43624?

This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, AI fine-tuning environments, Model serving infrastructure (co-located with finetune server).

What is the CVSS score for CVE-2026-43624?

CVE-2026-43624 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.08%.

AI Security Impact

Affected AI Architectures

ML training pipelinesAI fine-tuning environmentsModel serving infrastructure (co-located with finetune server)

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0020 Poison Training Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

Technical Details

Original Advisory

F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process.

Exploitation Scenario

An attacker scans for internet-exposed Gradio interfaces (common in shared research GPU clusters and self-hosted ML environments) and identifies an F5-TTS instance. Without any credentials, they send a POST request to the finetune project creation endpoint supplying a project name of '/etc/cron.d/r00t' with a JSON body containing a cron job payload. The server, passing the name directly to os.path.join() without validation, writes the file to /etc/cron.d/r00t under the server process user's permissions, establishing command execution persistence. Alternatively, the attacker targets the F5-TTS model checkpoint directory to overwrite legitimate fine-tuned weights with backdoored speech synthesis model files that produce subtly altered output — enabling a supply chain attack on any downstream deployment consuming models from this training server. The entire attack requires no ML knowledge and executes in under 30 seconds.