CVE-2026-28416
published 2026-02-27CVE-2026-28416: Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio…
PriorityP355high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.32%
23.2th percentile
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gradio-app | gradio | < 6.6.0 | 6.6.0 |
| gradio_project | gradio | < 6.6.0 | 6.6.0 |
| gradio_project | gradio | >= 0 < 6.6.0 | 6.6.0 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
ghsa·2026-03-01
CVE-2026-28416 [HIGH] CWE-918 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.
### Details
The vulnerability exists in Gradio's config processing flow when loading external Spaces:
1. **Config Fetching** (`gradio/external.py:630`): `gr.load()` calls `Blocks.from_config()` which fetches and processes the rem
OSV
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
osv·2026-03-01
CVE-2026-28416 [HIGH] Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.
### Details
The vulnerability exists in Gradio's config processing flow when loading external Spaces:
1. **Config Fetching** (`gradio/external.py:630`): `gr.load()` calls `Blocks.from_config()` which fetches and processes the rem
Red Hat
Gradio: Gradio: Server-Side Request Forgery allows access to internal services via malicious Space loading
vendor_redhat·2026-02-27·CVSS 8.2
CVE-2026-28416 [HIGH] CWE-918 Gradio: Gradio: Server-Side Request Forgery allows access to internal services via malicious Space loading
Gradio: Gradio: Server-Side Request Forgery allows access to internal services via malicious Space loading
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
A flaw was found in Gradio, an open-source Python package for rapid prototyping. A remote attac
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-28414 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28414 [MEDIUM] CVE-2026-28414 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28414 :
Gradio vulnerability analysis and mitigation
os.path.isabs
/windows/win.ini
Source : NVD
## 7.5
Score
Published February 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Gradio
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 79.3
Exploitation Probability (EPSS) 1.3
Affected packages and libraries
gradio
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Gradio vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-28
Wiz
CVE-2026-28415 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28415 [MEDIUM] CVE-2026-28415 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28415 :
Gradio vulnerability analysis and mitigation
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
Source : NVD
## 4.7
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Gradio
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Relea
Wiz
CVE-2026-27167 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27167 [MEDIUM] CVE-2026-27167 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27167 :
Gradio vulnerability analysis and mitigation
gr.LoginButton
/login/huggingface
huggingface_hub.get_token()
"-v4"
Source : NVD
## 5.9
Score
Published February 27, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Gradio
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gradio
Sources
NVD
pip Severity LOW Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Gradio vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2026-28416 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28416 [MEDIUM] CVE-2026-28416 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28416 :
Gradio vulnerability analysis and mitigation
gr.load()
proxy_url
Source : NVD
## 8.6
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Gradio
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gradio
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Gradio vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-28416
HIGH
8.
2026-02-27
Published