Product
Gradio versions before 6.20.0 contain an open redirect and server-side request forgery (SSRF) vulnerability, CVE-2026-59806, allowing attackers to redirect users or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the `/gradio_api/file=` endpoint, potentially leading to the retrieval of sensitive credentials, such as EC2 IAM role credentials.