CVE-2026-48545

HIGH EPSS 27.5%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
7.6 CVSS 4.0
High
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

CVSS Details

Base Score
7.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
27.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-384

Affected Products 1

VendorProductVersionRange
gradio_projectgradio* <6.15.0

References 5

  • github.com https://github.com/gradio-app/gradio/commit/feb7237d01f359d2ad4ee42d00344e61692b3b39
    Patch
  • github.com https://github.com/gradio-app/gradio/issues/13369
    Issue Tracking
  • github.com https://github.com/gradio-app/gradio/pull/13384
    Issue TrackingPatch
  • github.com https://github.com/gradio-app/gradio/releases/tag/gradio%406.15.0
    ProductRelease Notes
  • vulncheck.com https://www.vulncheck.com/advisories/gradio-cookie-injection-via-shared-pro
    Broken Link

Remediation

  • github.com https://github.com/gradio-app/gradio/commit/feb7237d01f359d2ad4ee42d00344e61692b3b39
    Patch
  • github.com https://github.com/gradio-app/gradio/pull/13384
    Issue TrackingPatch