CVE-2026-28414— Gradio 安全漏洞

Gradio has Absolute Path Traversal on Windows with Python 3.13+

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

绝对路径遍历

Gradio 安全漏洞

Gradio是Gradio开源的一个开源 Python 库，是通过友好的 Web 界面演示机器学习模型的方法。 Gradio 6.7之前版本存在安全漏洞，该漏洞源于Python 3.13+中os.path.isabs定义变更导致绝对路径遍历逻辑缺陷，可能导致未经验证的攻击者从文件系统读取任意文件。

N/A

N/A