Any Gradio deployment using `gr.load()` to load external or community Spaces is exposed to SSRF attacks that can reach cloud metadata endpoints (AWS IMDS, GCP metadata) and internal network services — a direct path to IAM credential theft and cloud account takeover. Patch to Gradio 6.6.0 immediately; if delay is unavoidable, restrict `gr.load()` to internal/trusted sources only and block egress to 169.254.169.254 at the network layer. Cloud-hosted ML environments are highest priority — this is not a theoretical risk.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 6.6.0 | 6.6.0 |
| gradio | pip | — | No patch |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
- 1) Patch: upgrade to Gradio 6.6.0 immediately — this is the only full fix. 2) If patching is delayed: audit all gr.load() calls and whitelist only internal, verified Spaces; remove or gate any untrusted external Space loading. 3) Network controls: block outbound HTTP from Gradio servers to RFC1918 ranges and cloud metadata endpoints (169.254.169.254, metadata.google.internal, 169.254.169.254). 4) Least privilege: review and restrict IAM roles attached to instances hosting Gradio — ensure no overly permissive roles exist that SSRF-harvested credentials could abuse. 5) Detection: alert on outbound HTTP requests from Gradio processes to metadata ranges and internal subnets; review Gradio access logs for unexpected proxy_url patterns. 6) Incident response: if exposure is suspected, rotate all IAM credentials associated with affected Gradio hosts.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Exploitation Scenario
An attacker publishes a malicious Gradio Space on Hugging Face with a config embedding `proxy_url: http://169.254.169.254/latest/meta-data/iam/security-credentials/prod-ml-role`. A security engineer at a target org runs `gr.load('attacker/demo-model')` to evaluate the Space during routine model vetting. Gradio trusts the returned proxy_url and adds it to the allowlist. The attacker then proxies requests through the victim's server to the metadata endpoint, harvesting temporary AWS IAM credentials for the `prod-ml-role` attached to the Gradio host. With those credentials, the attacker pivots to S3 buckets containing proprietary training data, model artifacts, and customer datasets — achieving data exfiltration with no direct access to victim infrastructure.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N References
- github.com/advisories/GHSA-jmh7-g254-2cq9
- github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc
- github.com/gradio-app/gradio/releases/tag/gradio%406.6.0
- github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9
- nvd.nist.gov/vuln/detail/CVE-2026-28416
- github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9 Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9 Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9 Vendor