AI Threat Alert

CVE-2026-27167: gradio: Weak Credentials allow account compromise

GHSA-h3h8-3v2v-rg7m MEDIUM PoC AVAILABLE CISA: TRACK*
Published February 27, 2026
CISO Take

Any Gradio deployment (v4.16.0–6.5.x) running outside Hugging Face Spaces with a LoginButton component exposed to the network is leaking the server owner's Hugging Face token to any visitor — no auth required. Patch to 6.6.0 immediately; if you can't, block the /login/huggingface route at the network layer and rotate all HF tokens on affected systems. The stolen token likely grants write access to private models and datasets, making this a supply chain entry point, not just a credential leak.

What is the risk?

CVSS 5.9 Medium understates the real risk for AI/ML environments. The attack requires no authentication and no user interaction — just network access to the Gradio app. The hardcoded cookie signing secret ('-v4' derived) means token extraction is trivial once the session cookie is obtained. HF tokens are typically scoped broadly (read/write on models, datasets, spaces) and rarely rotated. In an AI team context, this is effectively a key to the model registry. Risk should be treated as HIGH for any org with Gradio instances on internal or public networks.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio pip >= 4.16.0, < 6.6.0 6.6.0
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1
5.9 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Advanced
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix.

  2. DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase.

  3. ROTATE

    Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible.

  4. WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only.

  5. HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments.

  6. DETECTION

    Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Model Poisoning Code Execution Framework Agent API AML.T0010.001 AML.T0012 AML.T0025 AML.T0035 AML.T0049 AML.T0055 AML.T0091.000 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment A.6.2.3 - Access to AI systems and associated resources A.9.4 - Technical security controls for AI systems
NIST AI RMF
GOVERN 6.2 - Policies and procedures are in place to address AI risks and benefits MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MANAGE 2.4 - Risks are monitored and documented
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-27167?

Any Gradio deployment (v4.16.0–6.5.x) running outside Hugging Face Spaces with a LoginButton component exposed to the network is leaking the server owner's Hugging Face token to any visitor — no auth required. Patch to 6.6.0 immediately; if you can't, block the /login/huggingface route at the network layer and rotate all HF tokens on affected systems. The stolen token likely grants write access to private models and datasets, making this a supply chain entry point, not just a credential leak.

Is CVE-2026-27167 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27167, increasing the risk of exploitation.

How to fix CVE-2026-27167?

1. PATCH: Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix. 2. DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase. 3. ROTATE: Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible. 4. WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only. 5. HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments. 6. DETECTION: Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.

What systems are affected by CVE-2026-27167?

This vulnerability affects the following AI/ML architecture patterns: ML demo and prototyping platforms, Model serving (Gradio-based inference UIs), Internal ML tooling and portals, AI development environments, MLOps pipelines using HuggingFace Hub.

What is the CVSS score for CVE-2026-27167?

CVE-2026-27167 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.45%.

What is the AI security impact?

Affected AI Architectures

ML demo and prototyping platformsModel serving (Gradio-based inference UIs)Internal ML tooling and portalsAI development environmentsMLOps pipelines using HuggingFace Hub

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0091.000 Application Access Token
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, A.6.2.3, A.9.4
NIST AI RMF: GOVERN 6.2, MANAGE 2.2, MANAGE 2.4
OWASP LLM Top 10: LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.

Exploitation Scenario

Attacker scans for network-accessible Gradio instances (Shodan/Censys query on Gradio headers, port 7860). Identifies a target running v5.x with a gr.LoginButton in the UI — common in internal demo tools and ML team portals. Sends a single unauthenticated GET to /login/huggingface. Server automatically retrieves its own HF token via huggingface_hub.get_token() and stuffs it into a signed session cookie. Attacker reads the cookie, decodes it using the publicly known hardcoded '-v4' derived secret (no brute force needed — deterministic). Extracts the plaintext HF token. Uses token via HF API to enumerate private repos, download proprietary model weights, and push a poisoned model version with embedded backdoor. The org's downstream consumers pull the 'latest' tag and deploy the compromised model — full supply chain compromise from a single unauthenticated HTTP request.

Weaknesses (CWE)

CWE-522 Insufficiently Protected Credentials Primary CWE-522 Insufficiently Protected Credentials Primary CWE-798 Use of Hard-coded Credentials Primary CWE-798 Use of Hard-coded Credentials Primary

CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

  • [Architecture and Design] Use an appropriate security mechanism to protect the credentials.
  • [Architecture and Design] Make appropriate use of cryptography to protect the credentials.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
February 27, 2026
Last Modified
March 5, 2026
First Seen
February 27, 2026

Related Vulnerabilities

CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed