CVE-2026-28415: Gradio has an Open Redirect in its OAuth Flow
The _redirect_to_target() function in Gradio’s OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton).
References
- github.com/advisories/GHSA-pfjf-5gxr-995x
- github.com/gradio-app/gradio
- github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e
- github.com/gradio-app/gradio/releases/tag/gradio%406.6.0
- github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x
- nvd.nist.gov/vuln/detail/CVE-2026-28415
Code Behaviors & Features
Detect and mitigate CVE-2026-28415 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →