Vulnerability in Gradio Open-Source Python Package Allows Token Theft
CVE-2026-27167

NONE

Key Information:

Vendor: Gradio-app
Status: Gradio
Vendor: CVE Published:; 27 February 2026

What is CVE-2026-27167?

Gradio versions prior to 6.6.0 have a vulnerability where applications using OAuth components automatically enable mocked OAuth routes. This flaw allows attackers to steal access tokens if the application is publicly accessible, as the token is retrieved and stored in the visitor's session cookie. The use of a hardcoded secret makes the session cookie payload easily decodable. Users are advised to upgrade to version 6.6.0 or later for a fix.

Affected Version(s)

gradio >= 4.16.0, < 6.6.0

References

https://github.com/gradio-app/gradio/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2026
Vulnerability Reserved
Feb 18, 2026

CVE-2026-27167 Data

JSON

Gradio-app

What is CVE-2026-27167?

Affected Version(s)

References

CVSS V3.1

Timeline