CVE-2026-59806: Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to re
Summary
Gradio before version 6.20.0 has a vulnerability where the /gradio_api/file= endpoint accepts unvalidated URLs in the file_fetch() function, allowing attackers to perform an open redirect (sending users to malicious websites) or SSRF (server-side request forgery, where the server makes unintended requests to internal systems). Attackers can exploit this to target cloud metadata services and steal sensitive credentials like EC2 IAM role credentials (authentication tokens used by cloud services).
Solution / Mitigation
Update Gradio to version 6.20.0 or later, as indicated in the release tag https://github.com/gradio-app/gradio/releases/tag/gradio%406.20.0.
Vulnerability Details
7.4(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
network
low
none
required
July 8, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-59806
First tracked: July 8, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 92%