CVE-2026-27167 — MEDIUM (CVSS 5.9) AI Security Vulnerability

Q: Is CVE-2026-27167 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27167, increasing the risk of exploitation.

Q: How to fix CVE-2026-27167?

1. PATCH: Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix. 2. DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase. 3. ROTATE: Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible. 4. WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only. 5. HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments. 6. DETECTION: Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.

Q: What systems are affected by CVE-2026-27167?

This vulnerability affects the following AI/ML architecture patterns: ML demo and prototyping platforms, Model serving (Gradio-based inference UIs), Internal ML tooling and portals, AI development environments, MLOps pipelines using HuggingFace Hub.

Q: What is the CVSS score for CVE-2026-27167?

CVE-2026-27167 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.03%.

CISO Take

Any Gradio deployment (v4.16.0–6.5.x) running outside Hugging Face Spaces with a LoginButton component exposed to the network is leaking the server owner's Hugging Face token to any visitor — no auth required. Patch to 6.6.0 immediately; if you can't, block the /login/huggingface route at the network layer and rotate all HF tokens on affected systems. The stolen token likely grants write access to private models and datasets, making this a supply chain entry point, not just a credential leak.

Risk Assessment

CVSS 5.9 Medium understates the real risk for AI/ML environments. The attack requires no authentication and no user interaction — just network access to the Gradio app. The hardcoded cookie signing secret ('-v4' derived) means token extraction is trivial once the session cookie is obtained. HF tokens are typically scoped broadly (read/write on models, datasets, spaces) and rarely rotated. In an AI team context, this is effectively a key to the model registry. Risk should be treated as HIGH for any org with Gradio instances on internal or public networks.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →
gradio	pip	>= 4.16.0, < 6.6.0	`6.6.0`
42.5K OpenSSF 5.6 674 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix.
DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase.
ROTATE

Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible.
WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only.
HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments.
DETECTION

Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Model Poisoning Code Execution Framework Agent API AML.T0010.001 - AI Software AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment A.6.2.3 - Access to AI systems and associated resources A.9.4 - Technical security controls for AI systems

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks and benefits MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Risks are monitored and documented

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-27167?

Any Gradio deployment (v4.16.0–6.5.x) running outside Hugging Face Spaces with a LoginButton component exposed to the network is leaking the server owner's Hugging Face token to any visitor — no auth required. Patch to 6.6.0 immediately; if you can't, block the /login/huggingface route at the network layer and rotate all HF tokens on affected systems. The stolen token likely grants write access to private models and datasets, making this a supply chain entry point, not just a credential leak.

Is CVE-2026-27167 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27167, increasing the risk of exploitation.

How to fix CVE-2026-27167?

1. PATCH: Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix. 2. DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase. 3. ROTATE: Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible. 4. WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only. 5. HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments. 6. DETECTION: Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.

What systems are affected by CVE-2026-27167?

This vulnerability affects the following AI/ML architecture patterns: ML demo and prototyping platforms, Model serving (Gradio-based inference UIs), Internal ML tooling and portals, AI development environments, MLOps pipelines using HuggingFace Hub.

What is the CVSS score for CVE-2026-27167?

CVE-2026-27167 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.

Exploitation Scenario

Attacker scans for network-accessible Gradio instances (Shodan/Censys query on Gradio headers, port 7860). Identifies a target running v5.x with a gr.LoginButton in the UI — common in internal demo tools and ML team portals. Sends a single unauthenticated GET to /login/huggingface. Server automatically retrieves its own HF token via huggingface_hub.get_token() and stuffs it into a signed session cookie. Attacker reads the cookie, decodes it using the publicly known hardcoded '-v4' derived secret (no brute force needed — deterministic). Extracts the plaintext HF token. Uses token via HF API to enumerate private repos, download proprietary model weights, and push a poisoned model version with embedded backdoor. The org's downstream consumers pull the 'latest' tag and deploy the compromised model — full supply chain compromise from a single unauthenticated HTTP request.