DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28416: Implicit Trust in Remote Configuration Leads to SSRF in Gradio

#security #cve #cybersecurity

Implicit Trust in Remote Configuration Leads to SSRF in Gradio

Vulnerability ID: CVE-2026-28416
CVSS Score: 8.2
Published: 2026-03-01

A high-severity Server-Side Request Forgery (SSRF) vulnerability exists in the Gradio machine learning framework due to improper validation of remote configurations. When a user utilizes the gr.load() function to import a remote Hugging Face Space, the local Gradio instance ingests the remote config.json file. In vulnerable versions, the application implicitly trusts the proxy_url parameters defined within this configuration, adding them to the local application's proxy allowlist. This allows a malicious Space to inject arbitrary internal URLs—such as cloud metadata endpoints or local network services—into the allowlist. Consequently, an attacker can leverage the victim's /proxy endpoint to exfiltrate sensitive internal data.

TL;DR

Gradio versions prior to 6.6.0 are vulnerable to SSRF when loading untrusted Spaces via gr.load(). Malicious configurations can whitelist arbitrary internal URLs, allowing attackers to access cloud metadata or local services through the application's proxy endpoint.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network (Remote)
  • CVSS Score: 8.2 (High)
  • EPSS Score: 0.00030
  • Impact: Information Disclosure / Internal Network Access
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Gradio < 6.6.0
  • Gradio Client (Python)
  • Applications using gr.load() with untrusted sources
  • Gradio: < 6.6.0 (Fixed in: 6.6.0)

Code Analysis

Commit: fc7c01e

Validate proxy url host to prevent SSRF

Exploit Details

Mitigation Strategies

  • Upgrade to Gradio 6.6.0
  • Implement Egress Filtering to block access to cloud metadata IPs
  • Enforce IMDSv2 on AWS EC2 instances

Remediation Steps:

  1. Identify all applications using the gradio library.
  2. Check the installed version using pip show gradio.
  3. If the version is below 6.6.0, update immediately using pip install --upgrade gradio.
  4. Verify the update by checking the version again.

References

Read the full report for CVE-2026-28416 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)