CVE-2026-28414: Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Win
Summary
Gradio (an open-source Python package for building web interfaces quickly) has a vulnerability in versions before 6.7 on Windows with Python 3.13 and newer that allows attackers to read any file from the server by exploiting a flaw in how the software checks if file paths are absolute (starting from the root directory). The vulnerability exists because Python 3.13 changed how it defines absolute paths, breaking Gradio's protections against path traversal (accessing files outside intended directories).
Solution / Mitigation
Update Gradio to version 6.7 or later, which fixes the issue.
Vulnerability Details
7.5(high)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-28414
First tracked: February 27, 2026 at 07:07 PM
Classified by LLM (prompt v3) · confidence: 92%