CVE-2026-28416: Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim’s server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim’s infrastructure.
References
- github.com/advisories/GHSA-jmh7-g254-2cq9
- github.com/gradio-app/gradio
- github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc
- github.com/gradio-app/gradio/releases/tag/gradio%406.6.0
- github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9
- nvd.nist.gov/vuln/detail/CVE-2026-28416
Code Behaviors & Features
Detect and mitigate CVE-2026-28416 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →