CVE-2023-41626 — MEDIUM (CVSS 4.8) AI Security Vulnerability

CISO Take

Gradio-based ML demos and internal AI tools expose an unrestricted file upload endpoint accessible without authentication. Organizations running Gradio for model inference demos—on-premises, internal networks, or Hugging Face Spaces—should upgrade past v3.27.0 immediately. High attack complexity lowers immediate risk, but any public-facing Gradio instance should be treated as elevated given potential for malicious payload delivery into connected ML pipelines.

Risk Assessment

Medium severity (CVSS 4.8) with elevated contextual risk in AI/ML environments. The high attack complexity (AC:H) reduces opportunistic exploitation, but Gradio deployments are frequently internet-accessible with minimal security controls. The absence of authentication requirements (PR:N) broadens the attack surface. In environments where Gradio fronts an ML pipeline that auto-processes uploads (image classifiers, document analyzers, audio transcription), an attacker-controlled file can propagate directly into inference or pre-processing workflows.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

4.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I Low

A None

Recommended Action

6 steps

Upgrade Gradio beyond v3.27.0 immediately—check vendor advisory for the exact patched release.
If upgrade is blocked, restrict /upload via reverse proxy rules or network ACLs to trusted IP ranges only.
Implement strict MIME type and file extension allowlisting on all upload endpoints.
Audit all Gradio deployments—catalog public-facing instances as priority.
Detection: alert on /upload requests with unusual MIME types (.pkl, .pt, .py, .sh, .exe, .bin).
Run Gradio processes under least-privilege OS accounts isolated from production ML pipelines and model stores.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.2 - AI System Input Controls

NIST AI RMF

MANAGE-2.4 - Risk Treatment for AI System Vulnerabilities

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-41626?

Gradio-based ML demos and internal AI tools expose an unrestricted file upload endpoint accessible without authentication. Organizations running Gradio for model inference demos—on-premises, internal networks, or Hugging Face Spaces—should upgrade past v3.27.0 immediately. High attack complexity lowers immediate risk, but any public-facing Gradio instance should be treated as elevated given potential for malicious payload delivery into connected ML pipelines.

Is CVE-2023-41626 actively exploited?

No confirmed active exploitation of CVE-2023-41626 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-41626?

1. Upgrade Gradio beyond v3.27.0 immediately—check vendor advisory for the exact patched release. 2. If upgrade is blocked, restrict /upload via reverse proxy rules or network ACLs to trusted IP ranges only. 3. Implement strict MIME type and file extension allowlisting on all upload endpoints. 4. Audit all Gradio deployments—catalog public-facing instances as priority. 5. Detection: alert on /upload requests with unusual MIME types (.pkl, .pt, .py, .sh, .exe, .bin). 6. Run Gradio processes under least-privilege OS accounts isolated from production ML pipelines and model stores.

What systems are affected by CVE-2023-41626?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, AI demo platforms, inference pipelines.

What is the CVSS score for CVE-2023-41626?

CVE-2023-41626 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.

Exploitation Scenario

An adversary discovers a public-facing Gradio instance—an internal model demo, a Hugging Face Space, or a developer's exposed localhost tunnel. They craft a multipart POST to the /upload endpoint submitting a malicious pickle file with a benign filename. If the Gradio app auto-processes uploads or passes them to a backend pipeline (e.g., a document classification model), pickle deserialization executes arbitrary code—granting shell access, exfiltrating model artifacts, or staging persistence within the ML environment. No credentials are required; only network reachability to the /upload route.