CVE-2026-28416

High CVSS: 8.2

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.

Vendor

Gradio Project

Product

Gradio

CWE

CWE-918

Yayın Tarihi

2026-02-27 22:16:24

Güncelleme

2026-03-05 13:03:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Gradio HIGH Gradio Project 2026

Referanslar

https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9

Benzer Kayıtlar

High

CVE-2026-28414

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Win…

Medium

CVE-2026-28415

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target(…

Unknown

CVE-2026-27167

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version…

Medium

CVE-2025-48889

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning mod…

High

CVE-2025-0187

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. T…

Medium

CVE-2024-8021

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker t…