AI Threat Alert
CVE-2023-41626: Gradio: arbitrary file upload via /upload endpoint
MEDIUMGradio-based ML demos and internal AI tools expose an unrestricted file upload endpoint accessible without authentication. Organizations running Gradio for model inference demos—on-premises, internal networks, or Hugging Face Spaces—should upgrade past v3.27.0 immediately. High attack complexity lowers immediate risk, but any public-facing Gradio instance should be treated as elevated given potential for malicious payload delivery into connected ML pipelines.
What is the risk?
Medium severity (CVSS 4.8) with elevated contextual risk in AI/ML environments. The high attack complexity (AC:H) reduces opportunistic exploitation, but Gradio deployments are frequently internet-accessible with minimal security controls. The absence of authentication requirements (PR:N) broadens the attack surface. In environments where Gradio fronts an ML pipeline that auto-processes uploads (image classifiers, document analyzers, audio transcription), an attacker-controlled file can propagate directly into inference or pre-processing workflows.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Gradio | pip | — | No patch |
Do you use Gradio? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade Gradio beyond v3.27.0 immediately—check vendor advisory for the exact patched release.
-
If upgrade is blocked, restrict /upload via reverse proxy rules or network ACLs to trusted IP ranges only.
-
Implement strict MIME type and file extension allowlisting on all upload endpoints.
-
Audit all Gradio deployments—catalog public-facing instances as priority.
-
Detection: alert on /upload requests with unusual MIME types (.pkl, .pt, .py, .sh, .exe, .bin).
-
Run Gradio processes under least-privilege OS accounts isolated from production ML pipelines and model stores.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2023-41626?
Gradio-based ML demos and internal AI tools expose an unrestricted file upload endpoint accessible without authentication. Organizations running Gradio for model inference demos—on-premises, internal networks, or Hugging Face Spaces—should upgrade past v3.27.0 immediately. High attack complexity lowers immediate risk, but any public-facing Gradio instance should be treated as elevated given potential for malicious payload delivery into connected ML pipelines.
Is CVE-2023-41626 actively exploited?
No confirmed active exploitation of CVE-2023-41626 has been reported, but organizations should still patch proactively.
How to fix CVE-2023-41626?
1. Upgrade Gradio beyond v3.27.0 immediately—check vendor advisory for the exact patched release. 2. If upgrade is blocked, restrict /upload via reverse proxy rules or network ACLs to trusted IP ranges only. 3. Implement strict MIME type and file extension allowlisting on all upload endpoints. 4. Audit all Gradio deployments—catalog public-facing instances as priority. 5. Detection: alert on /upload requests with unusual MIME types (.pkl, .pt, .py, .sh, .exe, .bin). 6. Run Gradio processes under least-privilege OS accounts isolated from production ML pipelines and model stores.
What systems are affected by CVE-2023-41626?
This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, AI demo platforms, inference pipelines.
What is the CVSS score for CVE-2023-41626?
CVE-2023-41626 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.34%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
Exploitation Scenario
An adversary discovers a public-facing Gradio instance—an internal model demo, a Hugging Face Space, or a developer's exposed localhost tunnel. They craft a multipart POST to the /upload endpoint submitting a malicious pickle file with a benign filename. If the Gradio app auto-processes uploads or passes them to a backend pipeline (e.g., a document classification model), pickle deserialization executes arbitrary code—granting shell access, exfiltrating model artifacts, or staging persistence within the ML environment. No credentials are required; only network reachability to the /upload route.
Weaknesses (CWE)
CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
- [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
- [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio