Description
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.
Published: 2026-02-27
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Credential Theft
Action: Immediate Patch
AI Analysis

Impact

Gradio applications built with versions starting at 4.16.0 through 6.5.0 expose a flaw when OAuth components such as gr.LoginButton are employed outside of Hugging Face Spaces. By visiting the special /login/huggingface route, the server automatically retrieves its own Hugging Face access token and stores it inside the visitor’s session cookie. The session cookie is signed with a hardcoded secret derived from the string "-v4", which means the cookie can be decoded trivially. An attacker who can reach the application over the network can trigger this flow and capture the server’s credentials, compromising the entire Hugging Face integration. This is a classic case of improper secret management and storage of sensitive data in client-side cookies.

Affected Systems

The vulnerability affects the Gradio package distributed by gradio-app. Any deployment of Gradio version 4.16.0 up to and including 6.5.0 that is exposed to external network traffic and uses OAuth UI components is impacted. Gradio 6.6.0 and later versions contain the fix and are not affected.

Risk and Exploitability

Detailed severity is not provided, but the potential to exfiltrate server credentials makes the impact high. The EPSS score indicates that current public exploitation probability is very low (<1%). The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been actively exploited in the wild yet. The likely attack vector is a remote, unauthenticated user accessing the exposed /login/huggingface endpoint, which then results in credential theft. Exploitation requires only network connectivity to the vulnerable service and the presence of OAuth components in the code.

Generated by OpenCVE AI on April 16, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gradio to version 6.6.0 or newer to apply the vendor fix that removes the mocked OAuth flow and uses a proper session secret.
  • If an upgrade cannot be performed immediately, disable or remove OAuth components such as gr.LoginButton from the application code to eliminate the vulnerable route.
  • Restrict access to the Gradio application by placing it behind authentication, firewall rules, or an internal network so that external attackers cannot trigger the /login/huggingface endpoint.

Generated by OpenCVE AI on April 16, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h3h8-3v2v-rg7m Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
History

Thu, 05 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Gradio Project
Gradio Project gradio
CPEs cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
Vendors & Products Gradio Project
Gradio Project gradio

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gradio-app
Gradio-app gradio
Vendors & Products Gradio-app
Gradio-app gradio
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 27 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.
Title Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Weaknesses CWE-522
CWE-798
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Gradio-app Gradio
Gradio Project Gradio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T22:02:47.868Z

Reserved: 2026-02-18T00:18:53.963Z

Link: CVE-2026-27167

cve-icon Vulnrichment

Updated: 2026-03-02T22:02:44.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:22.820

Modified: 2026-03-05T13:13:11.633

Link: CVE-2026-27167

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-27T21:40:57Z

Links: CVE-2026-27167 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses