CVE-2026-28416 - Vulnerability Analysis

Overview

Gradio < 6.6.0 contains a server-side request forgery caused by trusting malicious proxy_url in gr.load() config, letting attackers make arbitrary HTTP requests from victim servers, exploit requires victim to load attacker-controlled Space.

Severity & Score

Impact

Attackers can make arbitrary HTTP requests from victim servers, accessing internal services and private networks.

Mitigation

Update to version 6.6.0 or later.

References

• https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 28, 2026

🟠 CVE-2026-28416 - High (8.2) Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a mal... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28416/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner