CVE-2026-8756 Overview
CVE-2026-8756 is a path traversal vulnerability in the fishaudio Bert-VITS2 text-to-speech project, affecting commits up to 8f7fbd8c4770965225d258db548da27dc8dd934c. The flaw resides in the generate_config function within webui_preprocess.py, part of the Gradio Interface component. Attackers can manipulate the data_dir argument to traverse directories outside the intended scope. The vulnerability is remotely exploitable without authentication, and a public proof-of-concept has been disclosed. The project does not use formal versioning, so affected and unaffected releases cannot be precisely enumerated. The vendor was contacted but did not respond to the disclosure.
Critical Impact
Unauthenticated remote attackers can read or write files outside the intended directory through the data_dir parameter, enabling configuration tampering and potential disclosure of sensitive files.
Affected Products
- fishaudio Bert-VITS2 (all commits up to 8f7fbd8c4770965225d258db548da27dc8dd934c)
- Gradio Interface component (webui_preprocess.py)
- Deployments exposing the Bert-VITS2 web UI to untrusted networks
Discovery Timeline
- 2026-05-17 - CVE-2026-8756 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8756
Vulnerability Analysis
The vulnerability is classified as Path Traversal under [CWE-22]. It exists in the generate_config function of webui_preprocess.py, which is exposed through the Gradio web interface used by Bert-VITS2 for preprocessing speech training data. The function accepts a data_dir argument supplied by remote users and uses it to construct file system paths without sanitizing traversal sequences such as ../. Because the Gradio interface is typically bound to a network-accessible port, attackers can submit crafted requests without any prior authentication.
Root Cause
The root cause is missing input validation on the data_dir parameter. The application concatenates user-supplied directory input into file paths used by the configuration generation routine. There is no canonicalization step that resolves the final path and verifies it stays within an allowed base directory. As a result, sequences that escape the application working directory are honored by the underlying file APIs.
Attack Vector
An attacker reaches the vulnerable endpoint over the network by interacting with the Gradio Interface. The attacker submits a request to the preprocessing workflow with a data_dir value containing relative path traversal segments. The generate_config function then reads from or writes to attacker-chosen paths on the host file system. The vulnerability manifests entirely through unsanitized argument handling. See the GitHub Gist PoC Example and VulDB Vulnerability #364383 for technical details.
Detection Methods for CVE-2026-8756
Indicators of Compromise
- HTTP requests to the Bert-VITS2 Gradio interface containing ../ or encoded traversal sequences (%2e%2e%2f) in the data_dir field.
- Unexpected configuration files written by the Bert-VITS2 process outside its installation directory.
- Access to sensitive host paths (such as /etc, user home directories, or cloud metadata mounts) originating from the Python process hosting the Gradio app.
Detection Strategies
- Inspect web server and reverse proxy logs for POST requests to Gradio endpoints with suspicious data_dir values.
- Apply file integrity monitoring to detect configuration files being created or modified outside the Bert-VITS2 project directory.
- Correlate Python process file open events with parent process context to surface traversal attempts originating from the Gradio worker.
Monitoring Recommendations
- Alert on Bert-VITS2 processes accessing paths outside their designated dataset and output directories.
- Monitor outbound exposure of the Gradio port and flag instances reachable from untrusted networks.
- Track repeated parameter manipulation attempts against the preprocessing endpoint from a single source.
How to Mitigate CVE-2026-8756
Immediate Actions Required
- Restrict network access to the Bert-VITS2 Gradio interface using firewall rules, reverse proxy authentication, or VPN-only access.
- Run the Bert-VITS2 process under a low-privilege user account with file system access limited to its dataset directories.
- Audit existing Bert-VITS2 deployments for unexpected files or configuration changes that may indicate prior exploitation.
Patch Information
No vendor patch is available. The vendor was contacted prior to disclosure but did not respond, and the project does not use formal versioning. Operators should track the upstream repository for fixes and review the VulDB advisory for updates.
Workarounds
- Apply a local patch to webui_preprocess.py that canonicalizes the data_dir input and verifies the resolved path stays within an allowed base directory.
- Reject any data_dir value containing .., absolute paths, or null bytes before invoking generate_config.
- Containerize the Bert-VITS2 service with read-only mounts and a tightly scoped writable volume to limit traversal impact.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
