Gradio OAuth Flaw Enables Phishing Attacks
A vulnerability has been found in the popular ML demo tool Gradio. The bug (CVE-2026-28415) is an open redirect in the OAuth flow, which could allow attackers to execute sophisticated phishing attacks. The discovery serves as a reminder for ML engineers to carefully vet third-party libraries, especially in public-facing applications.
The vulnerability, present in Gradio versions prior to 6.6.0, stemmed from the `_redirect_to_target()` function. This function improperly handled a `_target_url` query parameter, failing to validate or sanitize the URL. This allowed an attacker to craft a link using a trusted domain (like one hosting a Gradio app on Hugging Face Spaces) that would automatically forward a user to a malicious external website. The flaw specifically impacts the `/logout` and `/login/callback` endpoints in Gradio applications where OAuth authentication is enabled. An attacker could, for example, send a phishing link that appears legitimate; once clicked and the user interacts with the page (e.g., logs out), they are seamlessly redirected to a phishing site to capture credentials or serve malware. The fix, implemented in version 6.6.0, sanitizes the redirect parameter, stripping any provided scheme or host to ensure redirection only occurs within the same application. Open redirect flaws are a known attack vector, often classified under CWE-601. Their primary danger in OAuth flows is not just phishing, but the potential for token theft. An attacker can intercept authorization codes or access tokens sent in the URL during the redirect, potentially leading to a full account takeover. This type of vulnerability has been a recurring issue across the web, with bug bounty programs frequently rewarding discoveries on major platforms. This incident is part of a larger trend of security scrutiny on AI and machine learning development tools, which are increasingly moving from research settings to production environments. In late 2024, Hugging Face commissioned a third-party security audit of Gradio 5.0 by Trail of Bits to proactively identify and fix numerous security risks, including issues with server configuration, cross-site scripting (XSS), and server-side request forgery (SSRF). This signals a growing maturity in the MLOps space, where the security of third-party libraries is becoming as critical as the models themselves.
