CVE Catalog

CVE-2026-49119

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile — higher than 48% of all known CVEs

Summary

Gradio before version 6.16.0 contains a path traversal vulnerability in the FileExplorer component's preprocess() method. Unauthenticated attackers can bypass the configured root directory by supplying path segments with directory traversal sequences or absolute paths, leading to arbitrary file read or exposure of sensitive files outside the intended directory.

Risk Assessment

The risk for the organization is unauthorized access to sensitive system files or application data, potentially resulting in information disclosure, data integrity compromise, or further attacks on the infrastructure.

Recommendation

It is recommended to immediately upgrade Gradio to version 6.16.0 or later, which fixes this vulnerability. Additionally, review the FileExplorer component configuration and restrict access to trusted users only.

Original NVD description (English source)

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide crafted path segments that cause os.path.join to discard the root_dir prefix entirely, resulting in arbitrary file read or exposure of sensitive files outside the intended directory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS