Home

Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

PUBLISHED Reserved 2026-02-27 | Published 2026-02-27 | Updated 2026-03-02 | Assigner GitHub_M




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

CWE-330: Use of Insufficiently Random Values

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

< 6.6.0
affected

References

github.com/...gradio/security/advisories/GHSA-pfjf-5gxr-995x

cve.org (CVE-2026-28415)

nvd.nist.gov (CVE-2026-28415)

Download JSON