Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0502

NIXPKGS-2026-0502
published on 3 Mar 2026
Permalink CVE-2026-28415
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 2 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 2 days ago
  • @LeSuisse removed
    8 packages
    • pkgsRocm.python3Packages.gradio-pdf
    • pkgsRocm.python3Packages.gradio-client
    • python314Packages.gradio-client
    • python313Packages.gradio-client
    • python312Packages.gradio-client
    • python314Packages.gradio-pdf
    • python313Packages.gradio-pdf
    • python312Packages.gradio-pdf
    3 weeks, 1 day ago
  • @LeSuisse accepted 3 weeks, 1 day ago
  • @LeSuisse published on GitHub 2 weeks, 6 days ago
Gradio has Open Redirect in OAuth Flow

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

References

Affected products

gradio
  • ==< 6.6.0

Matching in nixpkgs

Ignored packages (8)

Package maintainers

Upstream advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x