{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28416", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-02-27T21:47:04.975Z", "dateUpdated": "2026-02-27T21:47:04.975Z"}, "containers": {"cna": {"title": "Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"}], "affected": [{"vendor": "gradio-app", "product": "gradio", "versions": [{"version": "< 6.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T21:47:04.975Z"}, "descriptions": [{"lang": "en", "value": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue."}], "source": {"advisory": "GHSA-jmh7-g254-2cq9", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue."}], "id": "CVE-2026-28416", "lastModified": "2026-02-27T22:16:24.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T22:16:24.667", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Gradio: Gradio: Server-Side Request Forgery allows access to internal services via malicious Space loading", "id": "2443453", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443453"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.", "A flaw was found in Gradio, an open-source Python package for rapid prototyping. A remote attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load this attacker-controlled Space, a malicious `proxy_url` from the configuration is trusted. This allows the attacker to make arbitrary HTTP requests from the victim's server, potentially accessing internal services, cloud metadata endpoints, and private networks through the victim's infrastructure."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid loading Gradio Spaces from untrusted or unverified sources when using `gr.load()` in applications like the Ansible Chatbot Service. Additionally, implement network egress filtering to restrict outbound connections from systems running Gradio applications, preventing access to internal network resources, cloud metadata endpoints, and private networks."}, "name": "CVE-2026-28416", "public_date": "2026-02-27T21:47:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28416\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28416\nhttps://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"], "statement": "This is an IMPORTANT Server-Side Request Forgery (SSRF) vulnerability in Gradio, affecting the `ansible-chatbot-service` within Red Hat Ansible Services. The flaw allows an attacker to make arbitrary HTTP requests from a victim's server by injecting a malicious `proxy_url` when the application uses `gr.load()` to load an attacker-controlled Gradio Space. This could lead to unauthorized access to internal services, cloud metadata, and private networks.", "threat_severity": "Important"}