Main Vulnerability Database Vulnerabilities #VU128299

Information disclosure in Gradio - CVE-2026-27167

Published: April 28, 2026

Vulnerability identifier: #VU128299

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-27167

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Gradio

Affected software:
Gradio

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in mocked OAuth routes in gradio/oauth.py when handling requests to the /login/huggingface and /login/callback endpoints. A remote attacker can trigger the mocked OAuth flow and decode the session cookie payload to disclose sensitive information.

Only applications running outside of Hugging Face Spaces that use OAuth components and have a Hugging Face token configured on the host are vulnerable.

How to mitigate CVE-2026-27167

Install security update from vendor's website.

Sources

https://github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m

Information disclosure in Gradio - CVE-2026-27167

Detailed vulnerability description

How to mitigate CVE-2026-27167

Sources

Please verify you're human