Skip to content
Threat Feed
high threat

CVE-2026-8756: fishaudio Bert-VITS2 Path Traversal Vulnerability

A remote path traversal vulnerability exists in fishaudio Bert-VITS2's Gradio Interface, allowing attackers to manipulate the data_dir argument in the generate_config function of webui_preprocess.py.

A path traversal vulnerability, identified as CVE-2026-8756, affects fishaudio Bert-VITS2 up to commit 8f7fbd8c4770965225d258db548da27dc8dd934c. This vulnerability is located within the generate_config function of the webui_preprocess.py file, which is part of the Gradio Interface component. A remote attacker can exploit this vulnerability by manipulating the data_dir argument, potentially leading to unauthorized file access or modification. The exploit has been publicly disclosed and may be actively used. The vendor was contacted but did not respond to the disclosure. Due to the lack of versioning in this project, affected and unaffected releases are not clearly defined.

Attack Chain

  1. The attacker identifies a Bert-VITS2 instance running the vulnerable Gradio Interface.
  2. The attacker crafts a malicious HTTP request targeting the generate_config function.
  3. Within the request, the attacker manipulates the data_dir argument to include path traversal sequences (e.g., “../”).
  4. The server-side application processes the request, unsafely concatenating the attacker-controlled data_dir value.
  5. The application attempts to access a file or directory based on the manipulated path.
  6. Due to the path traversal, the application accesses a resource outside of the intended directory.
  7. The attacker gains unauthorized access to sensitive files or directories on the server.
  8. The attacker may further exploit the accessed information to compromise the system, depending on the files retrieved.

Impact

Successful exploitation of this vulnerability could allow an attacker to read sensitive files, potentially including configuration files, source code, or data used by the Bert-VITS2 application. The attacker could leverage this access to escalate privileges, compromise other systems on the network, or cause denial of service. The lack of versioning makes it difficult to determine the scope of vulnerable deployments.

Recommendation

  • Apply input validation to the data_dir argument in the generate_config function to prevent path traversal (reference: webui_preprocess.py).
  • Implement strict access controls to limit the files and directories that the Bert-VITS2 application can access.
  • Deploy the Sigma rule to detect potential exploitation attempts by monitoring for path traversal sequences in HTTP requests targeting the Gradio Interface.
  • Monitor web server logs for suspicious requests containing path traversal sequences (reference: webserver logs).

Detection coverage 2

Detects CVE-2026-8756 Exploitation — Bert-VITS2 Path Traversal Attempt

high

Detects CVE-2026-8756 exploitation — Monitors web server logs for HTTP requests containing path traversal sequences in the data_dir parameter when accessing the Gradio Interface.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detects CVE-2026-8756 Exploitation — Bert-VITS2 Path Traversal via generate_config

high

Detects CVE-2026-8756 exploitation — Identifies HTTP POST requests to the generate_config endpoint with path traversal attempts in the request body.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →