Platform
python
Component
gradio
Fixed in
6.6.1
6.6.0
CVE-2026-28416 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Gradio, an open-source Python package for building user interfaces for machine learning models. This flaw allows attackers to leverage a victim's server to make unauthorized HTTP requests, potentially exposing sensitive internal resources. The vulnerability impacts Gradio versions up to 6.5.1, and a fix is available in version 6.6.0.
An attacker can exploit this SSRF vulnerability by hosting a malicious Gradio Space and enticing a victim to load it using gr.load(). The malicious Space contains a proxy_url which, if trusted, is added to the allowlist. This allows the attacker to craft HTTP requests that are executed by the victim's server, effectively bypassing security controls. The potential impact includes accessing internal services that are not directly exposed to the internet, retrieving cloud metadata (e.g., AWS instance credentials), and potentially gaining access to private networks. This could lead to data breaches, unauthorized access to systems, and further exploitation.
This vulnerability was publicly disclosed on 2026-03-01. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The EPSS score is currently pending evaluation, but the SSRF nature of the vulnerability suggests a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28416 is to upgrade Gradio to version 6.6.0 or later. If upgrading is not immediately feasible, carefully review all Gradio Spaces being loaded and ensure they are from trusted sources. Implement strict input validation on any user-provided URLs used within Gradio applications. Consider using a Web Application Firewall (WAF) with SSRF protection rules to filter outbound requests. After upgrading, confirm the fix by attempting to load a known malicious Gradio Space and verifying that the proxy URL is not accepted.
Update the Gradio library to version 6.6.0 or higher. This corrects the SSRF vulnerability by properly validating the proxy URL. You can update using `pip install --upgrade gradio`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28416 is a Server-Side Request Forgery vulnerability in Gradio versions up to 6.5.1, allowing attackers to make unauthorized HTTP requests through a victim's server.
You are affected if you are using Gradio version 6.5.1 or earlier. Upgrade to version 6.6.0 to resolve the vulnerability.
Upgrade Gradio to version 6.6.0 or later. If upgrading isn't possible immediately, carefully review all Gradio Spaces being loaded and implement strict input validation.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation, and a PoC may emerge.
Refer to the Gradio project's security advisories and release notes on their GitHub repository for the official advisory.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.