VYPR
Medium severity6.8NVD Advisory· Published May 27, 2026· Updated Jun 2, 2026

CVE-2026-48545

CVE-2026-48545

Description

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Gradio App/Gradioreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <6.15.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.