Medium severity6.8NVD Advisory· Published May 27, 2026· Updated Jun 2, 2026
CVE-2026-48545
CVE-2026-48545
Description
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <6.15.0
Patches
Vulnerability mechanics
References
5- github.com/gradio-app/gradio/commit/feb7237d01f359d2ad4ee42d00344e61692b3b39nvdPatch
- github.com/gradio-app/gradio/pull/13384nvdIssue TrackingPatch
- github.com/gradio-app/gradio/issues/13369nvdIssue Tracking
- github.com/gradio-app/gradio/releases/tag/gradio%406.15.0nvdProductRelease Notes
- www.vulncheck.com/advisories/gradio-cookie-injection-via-shared-pronvdBroken Link
News mentions
0No linked articles in our index yet.