CVE-2026-28414

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.7

Description Gradio is a Python package for prototyping applications. Applications running on Windows with Python 3.13 and later are susceptible to an absolute path traversal issue. A change in Python 3.13+ altered how os.path.isabs handles root-relative paths, leading to a flaw in Gradio’s path joining logic. This allows unauthenticated attackers to read arbitrary files from the Gradio server, even with authentication enabled. The issue affects the way paths are handled, potentially allowing access to sensitive files.

Recommendations Update to version 6.7 or later.