H3-2024-0031¶

Gradio Arbitrary File Read Vulnerability

Description¶

The Gradio server is vulnerable to a path traversal and/or a local file inclusion vulnerability. Note: This weakness tracks multiple Gradio CVEs that result in arbitrary file read.

Impact¶

Remote unauthenticated attackers can read arbitrary files from the Gradio target host, leading to potential disclosure of sensitive information such as HuggingFace tokens, or environment variables containing secrets such as API keys.

References¶

• Gradio Changelog
• Enabling Gradio Authentication
• GitHub Advisory for CVE-2026-28414
• GitHub Advisory for CVE-2023-51449
• GitHub Advisory for CVE-2023-34239
• Fix for Windows Path Traversal in Gradio
• NVD: CVE-2026-28414
• NVD: CVE-2024-1561
• NVD: CVE-2023-51449
• NVD: CVE-2023-34239