CVE-2026-28415

MEDIUM EPSS 13.9%

Published Feb 27, 20264mo ago · Modified Mar 5, 20263mo ago

4.7 CVSS 3.1

Medium

Published Feb 27, 2026 4mo ago

Last Modified Mar 5, 2026 3mo ago

Description

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

CVSS Details

Base Score

4.7

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

13.9% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 4

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

CWE-284

CWE-330

CWE-601

Affected Products 1

Vendor	Product	Version	Range
gradio_project	gradio	*	<6.6.0

References 1

github.com https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.