Gradio has Absolute Path Traversal on Windows with Python 3.13+
Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gradio before 6.7 on Windows with Python 3.13+ allows unauthenticated arbitrary file read via absolute path traversal due to changed os.path.isabs behavior.
Vulnerability
Gradio versions prior to 6.7 contain an absolute path traversal vulnerability affecting Windows systems running Python 3.13 or later. The root cause is a behavioral change in Python 3.13's os.path.isabs function, which no longer treats root-relative paths like /windows/win.ini as absolute on Windows. Gradio's safe_join function relied on os.path.isabs to block absolute paths, so this change allowed root-relative paths to bypass the check [2][3].
Exploitation
An unauthenticated attacker can exploit this by sending a crafted HTTP request to the Gradio server, using a path like /static//windows/win.ini. The double slash and root-relative path are not caught by the existing validation, allowing the server returns the contents of the requested file. No authentication is required, and the attack works even when Gradio is configured with authentication [2][4].
Impact
Successful exploitation allows an attacker to read arbitrary files from the Windows file system in the context of the user running the Gradio server. This could expose sensitive data such as configuration files, credentials, or application source code [4].
Mitigation
The vulnerability is fixed in Gradio version 6.7. The fix adds an explicit check for paths starting with / in the safe_join function, restoring the intended protection [3]. Users running Gradio on Windows with Python 3.13+ should upgrade to 6.7 or later immediately.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gradioPyPI | < 6.7.0 | 6.7.0 |
Affected products
2- Range: <6.7
- gradio-app/gradiov5Range: < 6.7
Patches
16011b00d0154Fix absolute path issue in Windows (#12926)
2 files changed · +6 −0
.changeset/proud-badgers-doubt.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"gradio": patch +--- + +fix:Fix absolute path issue in Windows
gradio/utils.py+1 −0 modified@@ -1696,6 +1696,7 @@ def safe_join(directory: DeveloperPath, path: UserProvidedPath) -> str: if ( any(sep in filename for sep in _os_alt_seps) or os.path.isabs(filename) + or filename.startswith("/") or filename == ".." or filename.startswith("../") ):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-39mp-8hj3-5c49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28414ghsaADVISORY
- github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04ghsaWEB
- github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.