CVE-2026-28416:
Server-Side Request Forgery vulnerability in Gradio allows arbitrary HTTP requests through malicious Spaces.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.6High- Published Date:Feb 27, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:4%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:4.0
- Confidentiality Impact:HIGH
- Integrity Impact:NONE
- Availability Impact:NONE
Description Preview
Server-Side Request Forgery vulnerability in Gradio allows arbitrary HTTP requests through malicious Spaces.
Overview
The vulnerability, identified as CVE-2026-28416, affects Gradio versions prior to 6.6.0. It has been assigned a CVSS v3.1 base score of 8.6 (High severity) by NIST, indicating a significant risk. The SSRF vulnerability allows remote attackers to exploit the system without authentication or user interaction. The primary impact is on the confidentiality of the affected system, potentially exposing sensitive information from internal networks and services.
Remediation
- To mitigate this vulnerability, users should upgrade Gradio to version 6.6.0 or later. This version includes a fix for the SSRF issue. Organizations using Gradio in their applications should prioritize this update, especially if they utilize the `gr.load()` function to load external Spaces. Additionally, it's recommended to review and restrict network access for applications using Gradio, and implement additional security measures such as input validation and network segmentation to reduce the potential impact of similar vulnerabilities.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
