Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Published: 2026-02-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery enabling attacker to access internal resources and exfiltrate data
Action: Immediate Patch
AI Analysis

Impact

Gradio, a popular Python library, contains a Server‑Side Request Forgery that allows an attacker to make arbitrary HTTP calls from a victim server by hosting a malicious Space. When a victim application invokes gr.load() with a Space controlled by the attacker, the Space configuration’s proxy_url is added to the allow‑list without validation. This exposes the victim server to requests to internal services, cloud metadata endpoints, and other private networks, potentially leaking sensitive data or enabling lateral movement within the victim’s infrastructure.

Affected Systems

The vulnerability affects the Gradio open‑source Python package before version 6.6.0 from the Gradio‑App project. Any deployment of Gradio prior to 6.6.0 that uses gr.load() to load external Spaces is susceptible.

Risk and Exploitability

With a CVSS score of 8.2 the flaw is considered high severity. The EPSS score is below 1 %, indicating a low immediate exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the exploit path is straightforward for anyone able to host a malicious Space; a victim application that automatically loads user‑supplied Spaces would allow the attacker to trigger the SSRF.

Generated by OpenCVE AI on April 16, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gradio to version 6.6.0 or later to remove the vulnerable logic.
  • Remove or restrict usage of gr.load() for untrusted Spaces, and enforce a strict whitelist of allowed proxy URLs.
  • Apply runtime network restrictions (e.g., firewall rules) to block internal services and cloud metadata endpoints from being accessed by the Gradio process.

Generated by OpenCVE AI on April 16, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmh7-g254-2cq9 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
History

Thu, 05 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Gradio Project
Gradio Project gradio
CPEs cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
Vendors & Products Gradio Project
Gradio Project gradio

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gradio-app
Gradio-app gradio
Vendors & Products Gradio-app
Gradio-app gradio
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Title Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Gradio-app Gradio
Gradio Project Gradio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:59:40.942Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28416

cve-icon Vulnrichment

Updated: 2026-03-02T21:59:37.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:24.667

Modified: 2026-03-05T13:03:21.533

Link: CVE-2026-28416

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-27T21:47:04Z

Links: CVE-2026-28416 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses