Moderate severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
Gradio has Open Redirect in OAuth Flow
CVE-2026-28415
Description
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gradioPyPI | < 6.6.0 | 6.6.0 |
Affected products
2- Range: < 6.6.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pfjf-5gxr-995xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28415ghsaADVISORY
- github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911eghsaWEB
- github.com/gradio-app/gradio/releases/tag/gradio%406.6.0ghsaWEB
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995xghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-65.yamlghsaWEB
News mentions
0No linked articles in our index yet.