Gradio is an open-source Python package widely used for rapid prototyping of machine learning and data science applications. Prior to version 6.6.0, Gradio contained a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-28416 (CWE-918). The vulnerability occurs when an application uses the gr.load() function to load a Gradio Space controlled by an attacker. The malicious Space can specify a proxy_url in its configuration, which Gradio mistakenly trusts and adds to its internal allowlist. This trust enables the attacker to coerce the victim's server to send arbitrary HTTP requests to internal resources such as private network services, cloud provider metadata endpoints (e.g., AWS, GCP, Azure), or other sensitive infrastructure components that are not normally accessible externally. Because the attacker can leverage the victim's infrastructure to pivot into internal networks, this SSRF flaw can lead to unauthorized information disclosure and potentially facilitate further attacks. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 3.1 base score is 8.2, reflecting high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact with limited integrity impact. The vulnerability was publicly disclosed on February 27, 2026, and fixed in Gradio version 6.6.0. No known exploits in the wild have been reported yet. However, given Gradio's popularity in data science and ML communities, the risk remains significant for organizations using vulnerable versions and loading untrusted Spaces.

The primary impact of this SSRF vulnerability is unauthorized access to internal services and sensitive metadata endpoints within an organization's infrastructure. Attackers can exploit this to gather confidential information such as cloud instance credentials, internal APIs, or private network resources that are otherwise inaccessible externally. This can lead to data breaches, lateral movement within networks, and potential escalation of privileges. Organizations relying on Gradio for prototyping or production ML applications that load external Spaces are at risk of having their internal environment exposed. The vulnerability affects confidentiality most severely, with some integrity risk if attackers leverage the information gained to manipulate internal services. Availability impact is minimal. Because exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of successful exploitation if untrusted Spaces are loaded. This can undermine trust in ML deployment pipelines and expose critical infrastructure in cloud and enterprise environments.

The most effective mitigation is to upgrade all Gradio installations to version 6.6.0 or later, where this SSRF vulnerability is fixed. Organizations should audit their codebases and deployment configurations to identify any usage of gr.load() that loads external or untrusted Gradio Spaces and eliminate or restrict such usage. Implement strict allowlisting of trusted Spaces and avoid dynamically loading Spaces from unknown sources. Network-level controls such as egress filtering and segmentation can limit the ability of compromised applications to reach sensitive internal endpoints or cloud metadata services. Monitoring and logging HTTP requests originating from Gradio applications can help detect anomalous SSRF attempts. Additionally, applying the principle of least privilege to cloud instance metadata access and internal services reduces the impact if SSRF occurs. Security teams should educate developers about the risks of loading untrusted Spaces and incorporate dependency management practices to ensure timely patching of Gradio and related components.