Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Attackers can craft a malicious FileData response targeting internal endpoints such as cloud metadata services to retrieve sensitive credentials including EC2 IAM role credentials. | |
| Title | Gradio < 6.20.0 - Open Redirect and SSRF via /gradio_api/file= endpoint | |
| First Time appeared |
Gradio Project
Gradio Project gradio |
|
| Weaknesses | CWE-601 CWE-918 |
|
| CPEs | cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:* | |
| Vendors & Products |
Gradio Project
Gradio Project gradio |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-08T19:43:32.730Z
Reserved: 2026-07-07T14:39:14.062Z
Link: CVE-2026-59806
No data.
No data.
No data.
OpenCVE Enrichment
No data.