AI Threat Alert

GHSA-26jh-r8g2-6fpr: Gradio: Dropdown validation bypass enables arbitrary input

GHSA-26jh-r8g2-6fpr MEDIUM
Published October 10, 2024
CISO Take

Gradio's Dropdown `allow_custom_value=False` can be bypassed via crafted HTTP requests, letting attackers inject arbitrary values directly into your ML inference pipeline. While medium severity standalone, risk escalates sharply if prediction functions treat Dropdown values as trusted inputs for file paths, database queries, or shell arguments — a common pattern in Gradio-based tooling. Upgrade to gradio>=5.0.0 immediately and enforce server-side allowlist validation regardless of UI constraints.

What is the risk?

Medium standalone (CVSS 5.3, AV:N/AC:L/PR:N/UI:N), but contextually higher in AI/ML deployments. Zero authentication required, low attack complexity, fully remote. The real risk is developer trust assumption: Gradio devs routinely treat UI-enforced constraints as a security boundary, making this a silent false boundary that attackers trivially shatter. Gradio deployments span internal ML tools, Hugging Face Spaces, and production inference endpoints — all exposed surfaces.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip < 5.0.0 5.0.0
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I Low
A None

What should I do?

5 steps

  1. Patch: Upgrade to gradio>=5.0.0 immediately — this is the definitive fix.

  2. Workaround (if upgrade blocked): Add explicit allowlist validation at the top of every prediction function; reject values not in the approved set before any processing.

  3. Audit: Enumerate all production Gradio Dropdown components; trace data flow from Dropdown values into downstream calls (file ops, subprocesses, DB queries).

  4. Detection: Log all values received at Gradio inference endpoints; alert on values outside expected enum sets.

  5. Architecture: Never rely on client-side or UI-layer constraints as a security boundary for server-side logic.

How is it classified?

Auth Bypass Code Execution Framework Inference API AML.T0040 AML.T0043.003 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.3 - Data for AI systems
NIST AI RMF
MANAGE-2.2 - Mechanisms to respond to AI risks
OWASP LLM Top 10
LLM01:2025 - Prompt Injection

Frequently Asked Questions

What is GHSA-26jh-r8g2-6fpr?

Gradio's Dropdown `allow_custom_value=False` can be bypassed via crafted HTTP requests, letting attackers inject arbitrary values directly into your ML inference pipeline. While medium severity standalone, risk escalates sharply if prediction functions treat Dropdown values as trusted inputs for file paths, database queries, or shell arguments — a common pattern in Gradio-based tooling. Upgrade to gradio>=5.0.0 immediately and enforce server-side allowlist validation regardless of UI constraints.

Is GHSA-26jh-r8g2-6fpr actively exploited?

No confirmed active exploitation of GHSA-26jh-r8g2-6fpr has been reported, but organizations should still patch proactively.

How to fix GHSA-26jh-r8g2-6fpr?

1. Patch: Upgrade to gradio>=5.0.0 immediately — this is the definitive fix. 2. Workaround (if upgrade blocked): Add explicit allowlist validation at the top of every prediction function; reject values not in the approved set before any processing. 3. Audit: Enumerate all production Gradio Dropdown components; trace data flow from Dropdown values into downstream calls (file ops, subprocesses, DB queries). 4. Detection: Log all values received at Gradio inference endpoints; alert on values outside expected enum sets. 5. Architecture: Never rely on client-side or UI-layer constraints as a security boundary for server-side logic.

What systems are affected by GHSA-26jh-r8g2-6fpr?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference endpoints, internal AI tooling.

What is the CVSS score for GHSA-26jh-r8g2-6fpr?

GHSA-26jh-r8g2-6fpr has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

ML demo platformsmodel servinginference endpointsinternal AI tooling

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access
AML.T0043.003 Manual Modification
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM01:2025

What are the technical details?

Original Advisory

### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is a **data validation issue** in the Gradio `Dropdown` component's pre-processing step. Even if the `allow_custom_value` parameter is set to `False`, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine. ### Patches Yes, this issue is addressed in `gradio>=5.0`. Please upgrade to the latest version to resolve the problem. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.

Exploitation Scenario

An adversary discovers an internal ML tool or Hugging Face Space running Gradio <5.0.0 with a Dropdown for model variant selection (e.g., 'base', 'large', 'instruct'). They intercept a legitimate POST request via browser devtools, then replay it substituting an arbitrary string for the valid option — such as a relative file path ('../../etc/passwd') or a model name pointing to an attacker-controlled artifact. The prediction function, trusting Gradio's now-bypassed constraint, passes the value directly to a file loader or model registry call, achieving unauthorized file read or loading of a malicious model artifact.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
October 10, 2024
Last Modified
October 11, 2024
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed