CVE-2026-48545
EUVD-2026-3254727.05.2026, 15:16
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| gradio_project | gradio | 𝑥 < 6.15.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References