AI Threat Alert AI Threat Alert

CVE-2026-28415: gradio: Info Disclosure leaks sensitive data

GHSA-pfjf-5gxr-995x MEDIUM
Published February 27, 2026
CISO Take

Patch Gradio to 6.6.0 immediately if you have any Hugging Face Spaces or self-hosted Gradio apps with OAuth/LoginButton enabled. This open redirect in the OAuth flow allows attackers to weaponize your legitimate domain for phishing — crafting links that appear to originate from your trusted ML platform to harvest credentials or OAuth tokens. Low exploitability score does not offset the brand trust abuse potential in enterprise AI environments.

Risk Assessment

MEDIUM risk in isolation, but contextually elevated for organizations with ML teams using Gradio on Hugging Face Spaces. CVSS 4.7 reflects the user interaction requirement and limited direct impact, but the Scope:Changed vector (C:C) signals cross-boundary risk. Gradio is pervasive in AI/ML prototyping — shadow AI deployments are the real exposure surface. No active exploitation, not in CISA KEV, but the no-auth-required exploitation lowers the bar for opportunistic phishing campaigns targeting data scientists and ML engineers.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip < 6.6.0 6.6.0
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
4.7 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C None
I Low
A None

Recommended Action

1 step

  1. 1) PATCH: Upgrade Gradio to >=6.6.0 immediately — the fix sanitizes _target_url to path/query/fragment only, stripping scheme and host. 2) AUDIT: Inventory all Gradio deployments across your org, including shadow AI apps on HuggingFace Spaces. 3) DETECT: Monitor for requests to /logout and /login/callback with _target_url parameters containing external domains (http/https scheme). Add WAF rule: block or alert on OAuth callback requests where _target_url contains ://. 4) EDUCATE: Alert ML/data science teams — this is a common blind spot. They own these deployments, not security. 5) SHORT-TERM WORKAROUND if patching is delayed: disable OAuth (remove gr.LoginButton) or restrict access to internal networks only.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Auth Bypass Framework RAG API AML.T0010.001 AML.T0011.003 AML.T0012 AML.T0049 AML.T0052 AML.T0073 AML.T0091.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - AI supply chain and third-party risk management A.10.7 - Security of AI system supporting infrastructure
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI supply chain and third-party risk GOVERN-1.7 - Processes and procedures are in place for decommissioning or retiring AI systems MANAGE-2.2 - Mechanisms for responding to AI risks are followed
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-28415?

Patch Gradio to 6.6.0 immediately if you have any Hugging Face Spaces or self-hosted Gradio apps with OAuth/LoginButton enabled. This open redirect in the OAuth flow allows attackers to weaponize your legitimate domain for phishing — crafting links that appear to originate from your trusted ML platform to harvest credentials or OAuth tokens. Low exploitability score does not offset the brand trust abuse potential in enterprise AI environments.

Is CVE-2026-28415 actively exploited?

No confirmed active exploitation of CVE-2026-28415 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-28415?

1) PATCH: Upgrade Gradio to >=6.6.0 immediately — the fix sanitizes _target_url to path/query/fragment only, stripping scheme and host. 2) AUDIT: Inventory all Gradio deployments across your org, including shadow AI apps on HuggingFace Spaces. 3) DETECT: Monitor for requests to /logout and /login/callback with _target_url parameters containing external domains (http/https scheme). Add WAF rule: block or alert on OAuth callback requests where _target_url contains ://. 4) EDUCATE: Alert ML/data science teams — this is a common blind spot. They own these deployments, not security. 5) SHORT-TERM WORKAROUND if patching is delayed: disable OAuth (remove gr.LoginButton) or restrict access to internal networks only.

What systems are affected by CVE-2026-28415?

This vulnerability affects the following AI/ML architecture patterns: ML UI frameworks (Gradio), HuggingFace Spaces deployments, Model demo and inference endpoints, OAuth-enabled ML portals, AI prototyping and internal tooling.

What is the CVSS score for CVE-2026-28415?

CVE-2026-28415 has a CVSS v3.1 base score of 4.7 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

Exploitation Scenario

Adversary identifies a target organization's Gradio app on HuggingFace Spaces with OAuth enabled. They craft a phishing URL pointing to the legitimate /logout endpoint with _target_url=https://attacker-controlled-site.com. Email or Slack message to ML engineer reads: 'Please re-authenticate to access the fine-tuning dashboard' with the crafted link. Victim clicks, hits the legitimate Gradio domain, gets transparently redirected to the attacker's credential harvesting page styled to mimic HuggingFace login. Attacker captures HuggingFace OAuth token, gains access to private model repos, datasets, and inference APIs. Entire chain uses a legitimate, trusted domain — bypasses URL reputation filters.

Weaknesses (CWE)

CWE-200 Primary CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-284 Improper Access Control Primary CWE-284 Primary CWE-330 Use of Insufficiently Random Values Primary CWE-330 Primary CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Primary CWE-601 Primary CWE-601 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

References

Timeline

Published
February 27, 2026
Last Modified
March 5, 2026
First Seen
February 27, 2026

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed