{"data":{"id":"6d205c93-6763-4cee-a9a2-e32b5cf1c0f6","title":"CVE-2026-59806: Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to re","summary":"Gradio before version 6.20.0 has a vulnerability where the /gradio_api/file= endpoint accepts unvalidated URLs in the file_fetch() function, allowing attackers to perform an open redirect (sending users to malicious websites) or SSRF (server-side request forgery, where the server makes unintended requests to internal systems). Attackers can exploit this to target cloud metadata services and steal sensitive credentials like EC2 IAM role credentials (authentication tokens used by cloud services).","solution":"Update Gradio to version 6.20.0 or later, as indicated in the release tag https://github.com/gradio-app/gradio/releases/tag/gradio%406.20.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-59806","publishedAt":"2026-07-08T20:16:56.973Z","cveId":"CVE-2026-59806","cweIds":["CWE-601","CWE-918"],"cvssScore":"7.4","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-08T20:16:56.973Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}