CVE-2026-28416

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

History

No history.

Information

Published : 2026-02-27 22:16

Updated : 2026-03-05 13:03

NVD link : CVE-2026-28416

Mitre link : CVE-2026-28416

CVE.ORG link : CVE-2026-28416

JSON object : View

Products Affected

gradio_project

gradio

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-28416", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T22:16:24.667", "references": [{"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue."}, {"lang": "es", "value": "Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Antes de la versi\u00f3n 6.6.0, una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Gradio permite a un atacante realizar peticiones HTTP arbitrarias desde el servidor de una v\u00edctima al alojar un Gradio Space malicioso. Cuando una aplicaci\u00f3n v\u00edctima utiliza 'gr.load()' para cargar un Space controlado por el atacante, se conf\u00eda en la 'proxy_url' maliciosa de la configuraci\u00f3n y se a\u00f1ade a la lista de permitidos, lo que permite al atacante acceder a servicios internos, endpoints de metadatos en la nube y redes privadas a trav\u00e9s de la infraestructura de la v\u00edctima. La versi\u00f3n 6.6.0 corrige el problema."}], "lastModified": "2026-03-05T13:03:21.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "59BB794F-B63D-4D86-B0F0-E60AF9017444", "versionEndExcluding": "6.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}