CVE-2026-28414 is a CISA KEV-listed path traversal vulnerability in Gradio (versions prior to 6.7) on Windows hosts running Python 3.13 or later, allowing unauthenticated remote attackers to read arbitrary files from the server file system. The root cause is a Python 3.13 behavioral change that silently broke Gradio’s path validation logic without either party recognizing the dependency. Organizations running Gradio-based AI/ML applications on Windows are at risk of unauthenticated exposure of credentials, configuration files, and proprietary model data.