Gradio is a popular open-source Python package designed for rapid prototyping of machine learning and data science interfaces. Prior to version 6.6.0, Gradio contained a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-28416 (CWE-918). The vulnerability occurs when a victim application uses the gr.load() function to load a Gradio Space controlled by an attacker. The attack vector involves the malicious Space specifying a proxy_url in its configuration, which the vulnerable Gradio client trusts and adds to an internal allowlist without proper validation. This trust allows the attacker to coerce the victim server into making arbitrary HTTP requests to internal or protected resources, such as internal services, cloud provider metadata endpoints (e.g., AWS, Azure, GCP metadata APIs), or other private network assets. Because the victim server performs these requests, the attacker can bypass network restrictions and gain sensitive information or perform further attacks. The vulnerability requires no authentication or user interaction, making exploitation straightforward once the victim loads the malicious Space. The issue was addressed in Gradio version 6.6.0 by properly validating and restricting the proxy_url parameter, preventing unauthorized requests. No known exploits in the wild have been reported as of the publication date. The vulnerability has a CVSS 3.1 base score of 8.2, reflecting its high impact on confidentiality and ease of exploitation.

The SSRF vulnerability in Gradio can have severe consequences for organizations using vulnerable versions, especially those deploying Gradio in cloud or internal network environments. Attackers can leverage this flaw to access sensitive internal services that are otherwise inaccessible externally, including cloud metadata endpoints that often contain credentials or tokens. This can lead to unauthorized disclosure of confidential information, such as cloud instance credentials, internal APIs, or private data stores. Additionally, attackers may use the SSRF to pivot within the victim's network, potentially escalating attacks or causing further compromise. The vulnerability does not directly impact availability or integrity but poses a significant confidentiality risk. Organizations relying on Gradio for rapid prototyping or internal tools may inadvertently expose critical infrastructure. Given the ease of exploitation without authentication or user interaction, the threat is substantial. Although no active exploitation is reported, the potential for damage is high, especially in cloud-heavy environments or organizations with sensitive internal services.

Organizations should immediately upgrade Gradio to version 6.6.0 or later, where the SSRF vulnerability is fixed. Until upgrading, avoid loading untrusted or attacker-controlled Gradio Spaces using gr.load(). Implement network-level controls to restrict outbound HTTP requests from servers running Gradio, limiting access to only necessary external endpoints and blocking internal metadata or private network addresses. Employ strict input validation and sanitization for any user-supplied URLs or proxy configurations in Gradio Spaces. Monitor network traffic for unusual outbound requests originating from Gradio servers, especially to internal IP ranges or cloud metadata endpoints. Consider deploying Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) with rules targeting SSRF patterns. Educate developers and users about the risks of loading untrusted Spaces and enforce policies to only use vetted Spaces. Finally, conduct regular security assessments and penetration tests focusing on SSRF and related vulnerabilities in development and production environments.