CVE-2026-28416
Published: 27 February 2026
Summary
CVE-2026-28416 is a high-severity SSRF (CWE-918) vulnerability in Gradio Project Gradio. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates untrusted inputs like the malicious proxy_url from attacker-controlled Gradio Spaces to prevent it from being added to the allowlist and enabling SSRF.
Requires timely identification, reporting, and remediation of the SSRF flaw in Gradio versions prior to 6.6.0 through patching or upgrades.
Monitors and controls outbound communications at system boundaries to block unauthorized SSRF requests to internal services, cloud metadata, and private networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables internal network service probing (T1046) and cloud metadata endpoint access for credential theft (T1552.005) from the victim server.
NVD Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space.…
more
When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Deeper analysisAI
CVE-2026-28416 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Gradio, an open-source Python package for quick prototyping, in versions prior to 6.6.0. The flaw occurs when a victim application uses the `gr.load()` function to load a Gradio Space controlled by an attacker, as the malicious `proxy_url` from the Space's configuration is trusted and added to the application's allowlist without validation.
An unauthenticated attacker (AV:N/AC:L/PR:N) can exploit this by hosting a malicious Gradio Space and tricking a victim into loading it via `gr.load()`. This grants the attacker the ability to make arbitrary HTTP requests from the victim's server, including access to internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. The vulnerability yields high confidentiality impact (C:H) with low integrity impact (I:L) and no availability impact (A:N), as scored at CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
The Gradio security advisory at https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9 confirms that upgrading to version 6.6.0 resolves the issue by addressing the trusted `proxy_url` handling in the allowlist.
Details
- CWE(s)