Cyber Resilience

CVE-2026-28416

High

Published: 27 February 2026

Published
27 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0032 23.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28416 is a high-severity SSRF (CWE-918) vulnerability in Gradio Project Gradio. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28416 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Gradio, an open-source Python package for quick prototyping, in versions prior to 6.6.0. The flaw occurs when a victim application uses the `gr.load()` function to load a Gradio Space controlled by an attacker, as the malicious `proxy_url` from the Space's configuration is trusted and added to the application's allowlist without validation.

An unauthenticated attacker (AV:N/AC:L/PR:N) can exploit this by hosting a malicious Gradio Space and tricking a victim into loading it via `gr.load()`. This grants the attacker the ability to make arbitrary HTTP requests from the victim's server, including access to internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. The vulnerability yields high confidentiality impact (C:H) with low integrity impact (I:L) and no availability impact (A:N), as scored at CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

The Gradio security advisory at https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9 confirms that upgrading to version 6.6.0 resolves the issue by addressing the trusted `proxy_url` handling in the allowlist.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space.…

more

When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gradio

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF directly enables internal network service probing (T1046) and cloud metadata endpoint access for credential theft (T1552.005) from the victim server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23042Same product: Gradio Project Gradio
CVE-2026-28414Same product: Gradio Project Gradio
CVE-2026-34576Shared CWE-918
CVE-2026-25991Shared CWE-918
CVE-2026-42141Shared CWE-918
CVE-2026-30232Shared CWE-918
CVE-2026-38527Shared CWE-918
CVE-2026-31941Shared CWE-918
CVE-2026-27826Shared CWE-918
CVE-2026-43884Shared CWE-918

Affected Assets

gradio project
gradio
≤ 6.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates untrusted inputs like the malicious proxy_url from attacker-controlled Gradio Spaces to prevent it from being added to the allowlist and enabling SSRF.

prevent

Requires timely identification, reporting, and remediation of the SSRF flaw in Gradio versions prior to 6.6.0 through patching or upgrades.

preventdetect

Monitors and controls outbound communications at system boundaries to block unauthorized SSRF requests to internal services, cloud metadata, and private networks.

References