Gradio – Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

02/03/2026

Gradio applications running outside of Hugging Face Spaces automatically enable “mocked” OAuth routes when OAuth components (e.g. gr.LoginButton) are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingface_hub.get_token() and stores it in the visitor’s session cookie.

If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner’s HF token. The session cookie is signed with a hardcoded secret derived from the string “-v4”, making the payload trivially decodable.

Joshua Martinelle Mon, 03/02/2026 – 07:17
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Gradio – Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Latest article

Looking at the SmarterMail API Vulnerability CVE-2026-24423

Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk

Medical giant Stryker crippled after Iranian hackers remotely wipe computers

This one’s for you, Mom

EDITOR PICKS

Looking at the SmarterMail API Vulnerability CVE-2026-24423

Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk

Medical giant Stryker crippled after Iranian hackers remotely wipe computers

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY