Copyright © 2012 Red Hat, Inc. All rights reserved. Low 2026-02-27T21:40:57 Gradio: Gradio: Information disclosure due to hardcoded secret in session cookie signing, allowing remote attackers to steal Hugging Face tokens. 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CWE-798

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.

A flaw was found in Gradio. When Gradio applications run outside of Hugging Face Spaces and use OAuth components, they automatically enable "mocked" OAuth routes. A remote attacker can exploit this by visiting the /login/huggingface endpoint, which causes the server to retrieve its Hugging Face (HF) access token and store it in the visitor's session cookie. Since the session cookie is signed with a hardcoded secret, the attacker can easily decode the payload and steal the server owner's HF token, leading to information disclosure.

This vulnerability in Gradio applications, specifically affecting `ansible-chatbot-service` in Ansible Services, allows a remote attacker to obtain the server owner's Hugging Face access token. This occurs when network-accessible Gradio applications utilize OAuth components outside of Hugging Face Spaces, leading to the automatic enablement of "mocked" OAuth routes. The session cookie, containing the token, is signed with a hardcoded secret, making it trivially decodable. To mitigate this issue, restrict network access to Gradio applications that utilize OAuth components and are deployed outside of Hugging Face Spaces. Implement firewall rules or a reverse proxy to limit exposure of the application's `/login/huggingface` endpoint to trusted networks only. If feasible, avoid using OAuth components in self-hosted Gradio deployments until a version with a proper fix is available. https://www.cve.org/CVERecord?id=CVE-2026-27167 https://nvd.nist.gov/vuln/detail/CVE-2026-27167 https://github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m