CVE-2026-49119

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide crafted path segments that cause os.path.join to discard the root_dir prefix entirely, resulting in arbitrary file read or exposure of sensitive files outside the intended directory.
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

History

02 Jul 2026, 19:46

Type Values Removed Values Added
References () https://github.com/gradio-app/gradio/commit/97d541f3d5fd05b2587a69ecc94b68fe5d2d7004 - () https://github.com/gradio-app/gradio/commit/97d541f3d5fd05b2587a69ecc94b68fe5d2d7004 - Patch
References () https://github.com/gradio-app/gradio/pull/13437 - () https://github.com/gradio-app/gradio/pull/13437 - Issue Tracking, Patch
References () https://github.com/gradio-app/gradio/releases/tag/gradio%406.16.0 - () https://github.com/gradio-app/gradio/releases/tag/gradio%406.16.0 - Product, Release Notes
References () https://www.vulncheck.com/advisories/gradio-path-traversal-via-fileexplorer-preprocess - () https://www.vulncheck.com/advisories/gradio-path-traversal-via-fileexplorer-preprocess - Patch, Release Notes, Third Party Advisory
First Time Gradio Project
Gradio Project gradio
CPE cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

01 Jul 2026, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-01 19:16

Updated : 2026-07-02 19:46


NVD link : CVE-2026-49119

Mitre link : CVE-2026-49119

CVE.ORG link : CVE-2026-49119


JSON object : View

Products Affected

gradio_project

  • gradio
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')