Key Vulnerability Information Vulnerability Title Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret Vulnerability Description Summary: - Gradio applications running outside of Hugging Face Spaces enable "mocked" OAuth routes when OAuth components are used. This exposes the server's Hugging Face access token in the session cookie, signed with a hardcoded secret. Affected Components Affected Component: - functions: , , . Root Cause Analysis 1. Real token injected into every visitor's session: - The server stores the real HF access token in a session variable that is injected into the session of any visitor hitting . 2. Hardcoded session signing secret: - The session secret is derived from a hardcoded string when is not set, making the session cookie payload trivially decodable. Attack Scenario Prerequisites: - A Gradio app using OAuth components. - The app is network-accessible. - Host machine has a Hugging Face token configured. - is not set. Steps: 1. Send a GET request to . 2. Follow the redirect to . 3. Base64-decode the session cookie to extract the access token. Fixed Versions Patched versions: Vulnerability Severity Severity: Low (CVSS Score: 0.0/10) CVE ID CVE-2026-27167 Vulnerability Proof Proof of Concept: - Python script provided to demonstrate token extraction. Example Output Example output: