CVE-2026-28415

CVSS v3.1

4.7

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 6.6.0

Description Gradio is a Python package for rapid prototyping. A flaw exists in the OAuth flow where the redirect to target() function does not properly validate the target url query parameter. This allows redirection to arbitrary external URLs via the /logout and /login/callback API endpoints when OAuth is enabled.

Recommendations Update to version 6.6.0 or later.

Exploit

Fix

Use of Insufficiently Random Values

Information Disclosure

Open Redirect

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-200CWE-601CWE-284

Related Identifiers

CVE-2026-28415

GHSA-PFJF-5GXR-995X

PYSEC-2026-65

Affected Products

Gradio

CVE-2026-28415

Weakness Enumeration

Related Identifiers

Affected Products

References · 13