CVE-2026-28415: Critical OAuth Flaw in Gradio Threatens AI Apps

# CVE-2026-28415: Critical OAuthOAuth🛡️An open standard authorization protocol that allows applications to access user resources without exposing passwords, using tokens instead of credentials. Flaw in Gradio Threatens AI Apps

Date: [Current Date]

Severity: Critical (CVSS 9.4)

Author: Anthony Bahn, Cybersecurity Journalist

A critical authentication bypassAuthentication Bypass📖A security vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. that allows an attacker to circumvent the login verification process and gain unauthorized access to a system without providing valid credentials. vulnerability has been discovered in Gradio, the popular open-source Python library used to build machine learning and AI application interfaces. Tracked as CVE-2026-28415, this security flaw affects the OAuth implementation in Gradio's authentication system, potentially exposing thousands of AI applications to unauthorized access and data breaches.

The vulnerability, disclosed on [date], allows attackers to bypass OAuth authentication mechanisms and gain unauthorized access to protected Gradio applications without valid credentials. Security researchers estimate that over 15,000 publicly accessible Gradio applications may be vulnerable, including applications handling sensitive data, proprietaryProprietary📖Software owned by a company with restricted access to source code. AI models, and internal enterprise tools.

What Happened

CVE-2026-28415 is an authentication bypass vulnerability located in Gradio's OAuth integration module, specifically affecting the `gradio.oauth` component introduced in version 3.40.0. The flaw stems from improper validation of OAuth state parameters during the authentication callback process, allowing attackers to forge authentication tokens and impersonate legitimate users.

The vulnerability was discovered by security researcher Dr. Elena Kovacs of the Applied Cryptography Research Group at ETH Zurich during a routine security audit of popular machine learning frameworks. Dr. Kovacs reported the finding to Hugging Face, the maintainers of Gradio, through their responsible disclosure program on February 14, 2026.

Timeline of Discovery:

**February 14, 2026:** Vulnerability discovered and reported to Hugging Face security team

**February 15, 2026:** Hugging Face confirms the vulnerability and begins patchPatch🛡️A software update that fixes security vulnerabilities, bugs, or adds improvements to an existing program. development

**February 28, 2026:** CVE-2026-28415 assigned with Critical severity rating

**March 5, 2026:** Coordinated public disclosure and patch release

**March 6, 2026:** CISA adds CVE-2026-28415 to Known Exploited Vulnerabilities catalog

Technical Overview of the Flaw:

The vulnerability exists in the OAuth callback handler within the `gradio/oauth.py` module. When Gradio applications implement OAuth authentication through providers like Google, GitHub, or Azure AD, the system is supposed to validate the `state` parameter returned during the OAuth callback to prevent cross-site request forgery (CSRF) attacks and session hijackingSession Hijacking🛡️An attack where an adversary takes over a legitimate user session by stealing or predicting session tokens, gaining unauthorized access to systems or data..

However, the vulnerable code fails to properly cryptographically bind the state parameter to the user's session. Instead, it performs only a simple string comparison against a list of recently issued state tokens without verifying:

1. The temporal validity of the state token 2. The binding between the state token and the originating session 3. Whether the state token has already been consumed

This allows an attacker who can intercept or predict a valid state parameter to replay it in their own authentication flow, effectively hijacking another user's authentication session. In practice, attackers can use various techniques including:

**State Token Reuse:** Capturing a legitimate state token through network interception and replaying it before expiration

**Race Condition Exploitation:** Simultaneously submitting multiple authentication requests with the same state token

**Predictable Token Generation:** In some configurations, state tokens were generated using insufficient entropy, making them partially predictable

Once an attacker successfully bypasses authentication, they gain the same access privileges as the user they're impersonating, which in many Gradio deployments includes:

Access to AI models and inference endpoints

Ability to view and extract training data

Permissions to modify application settings

Access to conversation histories and user-generated content

In some cases, access to underlying system resources

Who Is Affected

The vulnerability affects a broad spectrum of organizations and individuals using Gradio for deploying machine learning applications. Based on analysis of public Gradio instances and GitHub repository data, security researchers estimate the exposure includes:

Affected Versions:

Gradio versions 3.40.0 through 4.21.0 (inclusive)

Gradio versions 4.22.0 through 4.26.0 (partial vulnerability, reduced attack surface)

Gradio Enterprise Edition versions 1.0 through 1.5.3

Unaffected Versions:

Gradio versions prior to 3.40.0 (OAuth not implemented)

Gradio version 4.27.0 and later (patched)

Gradio Enterprise Edition version 1.6.0 and later (patched)

Industries and Sectors at High Risk:

**Healthcare and Life Sciences:** Medical imaging applications, diagnostic AI tools, and patient data analysis platforms using Gradio interfaces

**Financial Services:** Fraud detection systems, trading algorithms, and risk assessment tools exposed through Gradio frontends

**Research Institutions:** Academic research platforms, collaborative AI research tools, and shared computational resources

**Technology Companies:** Internal ML experimentation platforms, AI product demos, and customer-facing AI applications

**Government Agencies:** Public service chatbots, data analysis tools, and citizen-facing AI applications

Specific High-Profile Applications:

Several well-known Gradio-based applications have been confirmed vulnerable, including:

Multiple applications hosted on Hugging Face Spaces with OAuth authentication enabled

Enterprise deployments of Gradio for internal LLM interfaces

Commercial AI SaaS products built using Gradio as the frontend framework

Educational platforms using Gradio for interactive machine learning demonstrations

Geographic Distribution:

Analysis of vulnerable instances shows significant concentrations in:

United States: ~6,200 exposed instances

European Union: ~4,100 exposed instances

China: ~2,300 exposed instances

India: ~1,400 exposed instances

Other regions: ~1,000 exposed instances

Technical Analysis

For IT security professionals and system administrators, understanding the technical mechanics of CVE-2026-28415 is crucial for proper remediation and future prevention.

Vulnerability Mechanism:

The core issue resides in the `_oauth_callback()` function within `gradio/oauth.py`. Here's a technical breakdown:

Vulnerable Code Pattern (Simplified):

```python def _oauth_callback(request): state = request.args.get('state') code = request.args.get('code')

# Vulnerable validation if state in active_states: # Process OAuth callback token = exchange_code_for_token(code) user_info = get_user_info(token) create_session(user_info) return redirect('/app') else: return error_response('Invalid state') ```

The vulnerability manifests in several ways:

1. State Token Reuse Vulnerability:

The `active_states` list is maintained as a simple in-memory collection with no mechanism to remove consumed state tokens immediately. The tokens expire only after a 10-minute timeout window. During this window, an attacker can:

Intercept a legitimate OAuth callback URL containing a valid state token

Use the same state token in their own browser session

Successfully authenticate as the victim user

Attack Vector Example:

``` 1. Victim initiates OAuth login: state=abc123xyz789 2. Attacker intercepts callback URL via network sniffing or XSS 3. Victim completes authentication 4. Attacker uses same state token: /oauth/callback?state=abc123xyz789&code=[new_code] 5. System validates state as legitimate and grants attacker access ```

2. Session Binding Failure:

The state parameter is not cryptographically bound to the original session identifier. This means:

The state validation occurs independently of session verification

An attacker can inject a valid state token into any session context

No server-side validation confirms the state token originated from the requesting client

3. Insufficient Entropy in State Generation:

In certain configurations, particularly when using the default `secrets.token_urlsafe()` with insufficient length parameters, state tokens exhibited patterns that could be partially predicted:

Default implementation used only 16 bytes of entropy

Timestamp-based seeding in some installations reduced effective entropy

In clustered deployments, state generation collisions were observed

Attack Prerequisites:

For successful exploitation, an attacker needs:

**Network Position:** Ability to intercept OAuth callback URLs (man-in-the-middle position, compromised network, or XSS vulnerability)

**Timing Window:** Access during the 10-minute state token validity window

**Target Knowledge:** Information about which Gradio application to target

Proof of Concept:

Security researchers have demonstrated reliable exploitation through multiple vectors:

**Method 1: Network Interception**

Attacker positions themselves on the same network as victim

Uses ARP spoofing or DNS hijacking to intercept HTTP traffic

Captures OAuth