Any Gradio deployment (v4.16.0–6.5.x) running outside Hugging Face Spaces with a LoginButton component exposed to the network is leaking the server owner's Hugging Face token to any visitor — no auth required. Patch to 6.6.0 immediately; if you can't, block the /login/huggingface route at the network layer and rotate all HF tokens on affected systems. The stolen token likely grants write access to private models and datasets, making this a supply chain entry point, not just a credential leak.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | >= 4.16.0, < 6.6.0 | 6.6.0 |
| gradio | pip | — | No patch |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade all Gradio instances to 6.6.0 or later — this is the only complete fix. 2. DETECT exposure: Run 'pip show gradio' across ML workloads; flag any version 4.16.0–6.5.x with gr.LoginButton in the codebase. 3. ROTATE: Revoke and regenerate HF tokens on any system running a vulnerable Gradio instance that was network-accessible. 4. WORKAROUND if patching is delayed: Block /login/huggingface at the reverse proxy/WAF level, or restrict Gradio instances to localhost only. 5. HARDEN going forward: Enforce fine-grained HF tokens with minimum necessary scopes; never use org-admin tokens in application environments. 6. DETECTION: Alert on GET requests to /login/huggingface in access logs on any Gradio-serving host.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.
Exploitation Scenario
Attacker scans for network-accessible Gradio instances (Shodan/Censys query on Gradio headers, port 7860). Identifies a target running v5.x with a gr.LoginButton in the UI — common in internal demo tools and ML team portals. Sends a single unauthenticated GET to /login/huggingface. Server automatically retrieves its own HF token via huggingface_hub.get_token() and stuffs it into a signed session cookie. Attacker reads the cookie, decodes it using the publicly known hardcoded '-v4' derived secret (no brute force needed — deterministic). Extracts the plaintext HF token. Uses token via HF API to enumerate private repos, download proprietary model weights, and push a poisoned model version with embedded backdoor. The org's downstream consumers pull the 'latest' tag and deploy the compromised model — full supply chain compromise from a single unauthenticated HTTP request.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/advisories/GHSA-h3h8-3v2v-rg7m
- github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e
- github.com/gradio-app/gradio/releases/tag/gradio@6.6.0
- github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m
- nvd.nist.gov/vuln/detail/CVE-2026-27167
- github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m Exploit Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m Exploit Vendor
- github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m Exploit Vendor