How is CVE-2026-48545 exploited?

Network reachability (required): The attacker must reach the Gradio reverse proxy endpoint over the network; the service must be exposed to or reachable by the attacker across the internet or an accessible network path. Authentication (not-required): No account or credential is needed to stage the attack; the shared HTTP client is accessible to unauthenticated request flows. Victim interaction (required): A legitimate user must make a proxied request through the affected Gradio deployment after the attacker's malicious Space has poisoned the shared client's cookie store. Attack complexity (info): Exploitation depends on environmental sequencing: the attacker's Space must respond with the malicious cookie before or during victim requests, introducing a race-like ordering dependency rather than a straightforward, condition-free exploit.

What is the impact of CVE-2026-48545?

The attacker's injected cookie is replayed automatically into all subsequent proxy requests from the shared HTTP client, letting the attacker fixate or hijack active sessions belonging to other users of the same Gradio deployment. Confidential data transmitted in those proxied requests, including stored session tokens and any user-specific payload routed through the reverse proxy, becomes readable by the attacker. The attacker can modify the content of proxied requests sent to legitimate Spaces on behalf of other users, enabling unauthorized writes or state changes within those Spaces.

Back to search

HIGHCVE-2026-48545Published 2026-05-27Modified 2026-05-27CNA VulnCheck

CVE-2026-48545: Gradio < 6.15.0 Cookie Injection via Shared Proxy Client

Q: What is CVE-2026-48545?

Cookie injection vulnerability in Gradio before version 6.15.0 allows a remote attacker to perform cross-Space session fixation through a shared module-level HTTP client in the reverse proxy endpoint. The attack requires no authentication but does require the attacker to control a Hugging Face Space and depends on a user making a proxied request, while also involving environmental timing factors. Successful exploitation lets the attacker inject a parent-domain cookie that is automatically replayed into all subsequent proxy requests from the shared client, compromising the session integrity of every user passing through the same Gradio deployment. A patched-image rebuild at version 6.15.0 is available on HarborGuard for affected environments.

Q: How is CVE-2026-48545 fixed?

A patched-image rebuild at Gradio 6.15.0 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Cookie injection vulnerability in Gradio before version 6.15.0 allows a remote attacker to perform cross-Space session fixation through a shared module-level HTTP client in the reverse proxy endpoint. The attack requires no authentication but does require the attacker to control a Hugging Face Space and depends on a user making a proxied request, while also involving environmental timing factors. Successful exploitation lets the attacker inject a parent-domain cookie that is automatically replayed into all subsequent proxy requests from the shared client, compromising the session integrity of every user passing through the same Gradio deployment. A patched-image rebuild at version 6.15.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-48545 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the gradio package at any version below 6.15.0.

Available

Triage

HarborGuard scores this CVE at CVSS 7.6 HIGH using the v4.0 vector and is capable of weighting that score against each environment's compliance policy to surface it at the appropriate priority inbox inside each customer organization.

Available

Patch

A patched-image rebuild at Gradio 6.15.0 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Gradio reverse proxy endpoint over the network; the service must be exposed to or reachable by the attacker across the internet or an accessible network path.
AuthenticationNot required
No account or credential is needed to stage the attack; the shared HTTP client is accessible to unauthenticated request flows.
Victim interactionRequired
A legitimate user must make a proxied request through the affected Gradio deployment after the attacker's malicious Space has poisoned the shared client's cookie store.
Attack complexityDetail
Exploitation depends on environmental sequencing: the attacker's Space must respond with the malicious cookie before or during victim requests, introducing a race-like ordering dependency rather than a straightforward, condition-free exploit.

Blast Radius

The attacker's injected cookie is replayed automatically into all subsequent proxy requests from the shared HTTP client, letting the attacker fixate or hijack active sessions belonging to other users of the same Gradio deployment.
Confidential data transmitted in those proxied requests, including stored session tokens and any user-specific payload routed through the reverse proxy, becomes readable by the attacker.
The attacker can modify the content of proxied requests sent to legitimate Spaces on behalf of other users, enabling unauthorized writes or state changes within those Spaces.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48545 runs against all customer registries and build pipelines continuously, matching any image that packages gradio below 6.15.0. A rebuilt image at the fix version (6.15.0) is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard initiates a base-image rebuild, executes a regression test run against the patched image, and opens a pull request targeting affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the rebuilt image and a prioritized alert are queued for reviewer action. Until a rebuild is deployed, customers can reduce exposure by isolating the Gradio deployment behind a network policy that restricts which Spaces or origins it can proxy, and by applying egress filtering to limit outbound connections from the reverse proxy component.

See how HarborGuard automates this

CVSS v4.0: 7.6
Severity: HIGH
Fixed in: 6.15.0
Affected Products: 1

Fix available

6.15.0

Patch commits

github.com

Affected packages

gradio-app / gradio
< 6.15.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available