Gradio is the primary interface layer for many internally deployed AI and machine learning applications; a successful attack gives an unauthenticated outsider direct read access to the server's file system without any login required. This means proprietary model configurations, API keys, database credentials, and internal data files are all reachable and can be exfiltrated silently, with no user interaction needed. CISA's confirmation of active exploitation means this is not a theoretical risk — organizations running the affected configuration should treat this as an active threat to AI infrastructure confidentiality and, depending on what credentials are exposed, potentially to broader network security.
You Are Affected If
You run Gradio versions prior to 6.7 in any environment
The Gradio server is deployed on Windows (Linux and macOS hosts are not affected by this specific vulnerability)
The host's Python runtime is version 3.13 or later
The Gradio application is reachable from the internet or from untrusted internal network segments without an authenticated proxy layer
You have not applied the Gradio 6.7 upgrade since the CISA KEV listing
Board Talking Points
A confirmed, actively exploited vulnerability in Gradio — the library many teams use to deploy AI tools internally — lets anyone without a password read files directly off affected Windows servers.
Any team running Gradio on Windows with Python 3.13 must upgrade to Gradio version 6.7 immediately; this upgrade is the only complete fix and should be completed within 24 hours given CISA's active exploitation confirmation.
Without patching, attackers can silently extract credentials, API keys, and proprietary data from AI application servers, potentially using that access to pivot into broader systems.
