CVE-2026-59806 in Gradio
Summary
by MITRE • 07/08/2026
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Attackers can craft a malicious FileData response targeting internal endpoints such as cloud metadata services to retrieve sensitive credentials including EC2 IAM role credentials.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability in Gradio versions prior to 6.20.0 represents a critical security flaw that combines open redirect and server-side request forgery capabilities within a single attack vector. This issue stems from inadequate input validation in the file_fetch() function located at the /gradio_api/file= endpoint, where user-supplied HTTP/HTTPS URLs are processed without proper sanitization or verification. The flaw allows attackers to manipulate the application's behavior by providing malicious URLs that can be interpreted and executed by the underlying system, creating a pathway for unauthorized access and data exfiltration.
The technical implementation of this vulnerability leverages the application's trust in external URL inputs, enabling attackers to craft specially formatted requests that bypass normal security controls. When the file_fetch() function processes these unvalidated URLs, it can be coerced into making HTTP requests to internal services that are normally protected from direct external access. This creates a server-side request forgery scenario where the application acts as an intermediary to access internal resources that should remain isolated from external threats. The vulnerability specifically targets cloud metadata services such as AWS EC2 metadata endpoints, which contain sensitive information including IAM role credentials and instance identity documents.
The operational impact of this vulnerability extends beyond simple redirection attacks, as it provides attackers with the capability to perform client-side SSRF within the context of legitimate application requests. This means that an attacker could potentially extract confidential data from internal systems by leveraging the application's ability to fetch files from any URL, including those pointing to internal services. The attack surface becomes particularly dangerous in cloud environments where metadata services are accessible and contain valuable credentials for accessing other AWS resources. This vulnerability directly maps to CWE-601 open redirect vulnerabilities and CWE-918 server-side request forgery, both of which are categorized under the broader category of insecure direct object references.
Security professionals should prioritize immediate remediation by upgrading to Gradio version 6.20.0 or later, where proper input validation has been implemented for the file_fetch() function. Additional mitigations include implementing strict URL validation mechanisms that reject non-compliant inputs and configuring network-level restrictions to prevent access to internal metadata services from application servers. The ATT&CK framework categorizes this vulnerability under T1566 malicious file execution and T1071 application layer protocol, highlighting the need for comprehensive network segmentation and monitoring of outbound requests from web applications. Organizations should also implement automated scanning tools that can detect similar patterns in other applications and establish security controls around file handling operations to prevent similar vulnerabilities from emerging in future releases.