CVE-2023-46315 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any Stable Diffusion deployment running the Infinite Image Browsing extension with Gradio auth but without a secret key is fully exposed to unauthenticated credential theft via a single HTTP request. Attackers can read /proc/self/environ to harvest API keys, cloud tokens, and database passwords with zero effort. Patch to commit 977815a immediately and rotate all credentials on affected systems.

Risk Assessment

High severity with trivial exploitability. Zero authentication, zero user interaction, and network-accessible attack vector combine to make this a priority target for opportunistic attackers. The confidentiality impact is maximal: Stable Diffusion deployments on cloud GPU instances routinely carry rich credential environments including HuggingFace tokens, OpenAI keys, S3 credentials, and database passwords. The misconfiguration-dependent trigger (Gradio auth enabled without secret key) is common in community deployments following default setup guides.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
stable_diffusion_webui_infinite_image_browsing	—	—	No patch

Do you use stable_diffusion_webui_infinite_image_browsing? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Update sd-webui-infinite-image-browsing to commit 977815a or later immediately.
If patching is blocked, disable the extension in the SD web UI extensions manager.
Rotate all credentials (API keys, tokens, cloud secrets, DB passwords) present in environment variables on any system that ran the vulnerable version.
Never expose SD web UI directly to the internet — enforce VPN or IP allowlist regardless of auth configuration.
Detection: audit web server access logs for requests matching /file?path= pattern, especially those targeting /proc, /etc, or home directory paths.
Consider running SD processes with minimal environment variables and a dedicated low-privilege service account.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security and resilience

NIST AI RMF

MANAGE-2.2 - Treatments and responses to identified AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-46315?

Any Stable Diffusion deployment running the Infinite Image Browsing extension with Gradio auth but without a secret key is fully exposed to unauthenticated credential theft via a single HTTP request. Attackers can read /proc/self/environ to harvest API keys, cloud tokens, and database passwords with zero effort. Patch to commit 977815a immediately and rotate all credentials on affected systems.

Is CVE-2023-46315 actively exploited?

No confirmed active exploitation of CVE-2023-46315 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-46315?

1. Update sd-webui-infinite-image-browsing to commit 977815a or later immediately. 2. If patching is blocked, disable the extension in the SD web UI extensions manager. 3. Rotate all credentials (API keys, tokens, cloud secrets, DB passwords) present in environment variables on any system that ran the vulnerable version. 4. Never expose SD web UI directly to the internet — enforce VPN or IP allowlist regardless of auth configuration. 5. Detection: audit web server access logs for requests matching /file?path= pattern, especially those targeting /proc, /etc, or home directory paths. 6. Consider running SD processes with minimal environment variables and a dedicated low-privilege service account.

What systems are affected by CVE-2023-46315?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, training pipelines.

What is the CVSS score for CVE-2023-46315?

CVE-2023-46315 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

The zanllp sd-webui-infinite-image-browsing (aka Infinite Image Browsing) extension before 977815a for stable-diffusion-webui (aka Stable Diffusion web UI), if Gradio authentication is enabled without secret key configuration, allows remote attackers to read any local file via /file?path= in the URL, as demonstrated by reading /proc/self/environ to discover credentials.

Exploitation Scenario

An adversary scans internet-facing hosts for Stable Diffusion web UI instances and confirms the Infinite Image Browsing extension is active. They issue a single unauthenticated GET request to https://target/file?path=/proc/self/environ. The server responds with all environment variables of the running process, including HuggingFace API tokens, OpenAI keys, AWS credentials, and database connection strings. Using the harvested HuggingFace token, the attacker accesses private model repositories; with AWS credentials they pivot to S3 buckets containing proprietary training datasets. The entire chain requires no AI/ML knowledge — just knowledge of the Linux /proc filesystem.