gradio
Corregido en
6.6.1
6.6.0
CVE-2026-28416 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Gradio, an open-source Python package for building user interfaces for machine learning models. This flaw allows attackers to leverage a victim's server to make unauthorized HTTP requests, potentially exposing sensitive internal resources. The vulnerability impacts Gradio versions up to 6.5.1, and a fix is available in version 6.6.0.
An attacker can exploit this SSRF vulnerability by hosting a malicious Gradio Space and enticing a victim to load it using gr.load(). The malicious Space contains a proxy_url which, if trusted, is added to the allowlist. This allows the attacker to craft HTTP requests that are executed by the victim's server, effectively bypassing security controls. The potential impact includes accessing internal services that are not directly exposed to the internet, retrieving cloud metadata (e.g., AWS instance credentials), and potentially gaining access to private networks. This could lead to data breaches, unauthorized access to systems, and further exploitation.
This vulnerability was publicly disclosed on 2026-03-01. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The EPSS score is currently pending evaluation, but the SSRF nature of the vulnerability suggests a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and developers using Gradio for prototyping machine learning applications, particularly those deploying Spaces publicly or integrating with internal services, are at risk. Shared hosting environments where multiple users can deploy Gradio Spaces are also vulnerable, as a malicious Space could impact other users on the same server.
• python / gradio:
import subprocess
subprocess.run(['pip', 'show', 'gradio'], check=True)• python / gradio: Check Gradio version in requirements.txt or setup.py files. • generic web: Monitor outbound HTTP requests from Gradio applications for unexpected destinations, especially internal network addresses or cloud metadata endpoints. • generic web: Review Gradio application logs for unusual HTTP requests or errors related to proxy URLs.
disclosure
Estado del Exploit
EPSS
0.02% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-28416 is to upgrade Gradio to version 6.6.0 or later. If upgrading is not immediately feasible, carefully review all Gradio Spaces being loaded and ensure they are from trusted sources. Implement strict input validation on any user-provided URLs used within Gradio applications. Consider using a Web Application Firewall (WAF) with SSRF protection rules to filter outbound requests. After upgrading, confirm the fix by attempting to load a known malicious Gradio Space and verifying that the proxy URL is not accepted.
Actualice la biblioteca Gradio a la versión 6.6.0 o superior. Esto corrige la vulnerabilidad SSRF al validar correctamente la URL del proxy. Puede actualizar usando `pip install --upgrade gradio`.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-28416 is a Server-Side Request Forgery vulnerability in Gradio versions up to 6.5.1, allowing attackers to make unauthorized HTTP requests through a victim's server.
You are affected if you are using Gradio version 6.5.1 or earlier. Upgrade to version 6.6.0 to resolve the vulnerability.
Upgrade Gradio to version 6.6.0 or later. If upgrading isn't possible immediately, carefully review all Gradio Spaces being loaded and implement strict input validation.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation, and a PoC may emerge.
Refer to the Gradio project's security advisories and release notes on their GitHub repository for the official advisory.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.