Home

Description

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide crafted path segments that cause os.path.join to discard the root_dir prefix entirely, resulting in arbitrary file read or exposure of sensitive files outside the intended directory.

PUBLISHED Reserved 2026-05-27 | Published 2026-07-01 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

Any version before 6.16.0
affected

References

github.com/gradio-app/gradio/releases/tag/gradio@6.16.0 (Release Notes) release-notes

github.com/gradio-app/gradio/pull/13437 (Fix PR) issue-tracking

github.com/...ommit/97d541f3d5fd05b2587a69ecc94b68fe5d2d7004 (Fix Commit) patch

www.vulncheck.com/...h-traversal-via-fileexplorer-preprocess third-party-advisory

cve.org (CVE-2026-49119)

nvd.nist.gov (CVE-2026-49119)

Download JSON