gradio
Behoben in
6.6.1
6.6.0
CVE-2026-28416 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Gradio, an open-source Python package for building user interfaces for machine learning models. This flaw allows attackers to leverage a victim's server to make unauthorized HTTP requests, potentially exposing sensitive internal resources. The vulnerability impacts Gradio versions up to 6.5.1, and a fix is available in version 6.6.0.
An attacker can exploit this SSRF vulnerability by hosting a malicious Gradio Space and enticing a victim to load it using gr.load(). The malicious Space contains a proxy_url which, if trusted, is added to the allowlist. This allows the attacker to leverage the victim's server to make requests to internal services, cloud metadata endpoints (e.g., AWS instance details), and even private networks. The potential impact includes unauthorized access to sensitive data, credential theft, and potentially even lateral movement within the victim's infrastructure. This vulnerability is particularly concerning for organizations deploying Gradio Spaces in production environments, especially those with access to sensitive internal resources.
This vulnerability was publicly disclosed on 2026-03-01. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes exploitation relatively straightforward. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The potential for exploitation remains high due to the ease of crafting malicious Gradio Spaces.
Organizations and developers using Gradio for prototyping machine learning applications, particularly those deploying Spaces publicly or integrating with internal services, are at risk. Shared hosting environments where multiple users can deploy Gradio Spaces are also vulnerable, as a malicious Space could impact other users on the same server.
• python / gradio:
import subprocess
subprocess.run(['pip', 'show', 'gradio'], check=True)• python / gradio: Check Gradio version in requirements.txt or setup.py files. • generic web: Monitor outbound HTTP requests from Gradio applications for unexpected destinations, especially internal network addresses or cloud metadata endpoints. • generic web: Review Gradio application logs for unusual HTTP requests or errors related to proxy URLs.
disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28416 is to upgrade Gradio to version 6.6.0 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound HTTP requests and block suspicious URLs. Carefully review and restrict the proxy_url allowlist in your Gradio configuration, ensuring that only trusted domains are permitted. Additionally, implement strict input validation on any data used in gr.load() to prevent malicious Space loading. After upgrading, confirm the fix by attempting to load a known malicious Gradio Space and verifying that the proxy URL is not accepted.
Aktualisieren Sie die Gradio-Bibliothek auf Version 6.6.0 oder höher. Dies behebt die SSRF-Schwachstelle, indem die Proxy-URL korrekt validiert wird. Sie können aktualisieren mit `pip install --upgrade gradio`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28416 is a Server-Side Request Forgery vulnerability in Gradio versions up to 6.5.1, allowing attackers to make unauthorized HTTP requests through a victim's server.
You are affected if you are using Gradio version 6.5.1 or earlier. Upgrade to version 6.6.0 to resolve the vulnerability.
Upgrade Gradio to version 6.6.0 or later. If upgrading isn't possible immediately, carefully review all Gradio Spaces being loaded and implement strict input validation.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation, and a PoC may emerge.
Refer to the Gradio project's security advisories and release notes on their GitHub repository for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.