Patch Gradio to 6.6.0 immediately if you have any Hugging Face Spaces or self-hosted Gradio apps with OAuth/LoginButton enabled. This open redirect in the OAuth flow allows attackers to weaponize your legitimate domain for phishing — crafting links that appear to originate from your trusted ML platform to harvest credentials or OAuth tokens. Low exploitability score does not offset the brand trust abuse potential in enterprise AI environments.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 6.6.0 | 6.6.0 |
| gradio | pip | — | No patch |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
- 1) PATCH: Upgrade Gradio to >=6.6.0 immediately — the fix sanitizes _target_url to path/query/fragment only, stripping scheme and host. 2) AUDIT: Inventory all Gradio deployments across your org, including shadow AI apps on HuggingFace Spaces. 3) DETECT: Monitor for requests to /logout and /login/callback with _target_url parameters containing external domains (http/https scheme). Add WAF rule: block or alert on OAuth callback requests where _target_url contains ://. 4) EDUCATE: Alert ML/data science teams — this is a common blind spot. They own these deployments, not security. 5) SHORT-TERM WORKAROUND if patching is delayed: disable OAuth (remove gr.LoginButton) or restrict access to internal networks only.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
Exploitation Scenario
Adversary identifies a target organization's Gradio app on HuggingFace Spaces with OAuth enabled. They craft a phishing URL pointing to the legitimate /logout endpoint with _target_url=https://attacker-controlled-site.com. Email or Slack message to ML engineer reads: 'Please re-authenticate to access the fine-tuning dashboard' with the crafted link. Victim clicks, hits the legitimate Gradio domain, gets transparently redirected to the attacker's credential harvesting page styled to mimic HuggingFace login. Attacker captures HuggingFace OAuth token, gains access to private model repos, datasets, and inference APIs. Entire chain uses a legitimate, trusted domain — bypasses URL reputation filters.
Weaknesses (CWE)
CWE-200
Primary
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Primary
CWE-284 Improper Access Control
Primary
CWE-284
Primary
CWE-330 Use of Insufficiently Random Values
Primary
CWE-330
Primary
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Primary
CWE-601
Primary
CWE-601
Primary
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N References
- github.com/advisories/GHSA-pfjf-5gxr-995x
- github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e
- github.com/gradio-app/gradio/releases/tag/gradio%406.6.0
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x
- nvd.nist.gov/vuln/detail/CVE-2026-28415
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x Vendor