Gradio: cookie injection hijacks cross-Space sessions — MEDIUM (CVE-2026-48545)

CISO Take

Gradio before 6.15.0 uses a single module-level HTTP client shared across all users in its reverse proxy endpoint — meaning any attacker who controls a HuggingFace Space can return a parent-domain Set-Cookie header that gets stored in that shared client and silently replayed into every subsequent proxy request to other legitimate Spaces, affecting all users of the same deployment. The attack is most dangerous in multi-tenant environments like HuggingFace Spaces, where a single poisoned Space can corrupt the session state of unrelated users accessing entirely different applications. There is no public exploit, no KEV listing, and no EPSS data, but the C:H/I:H CVSS impact scores mean a successful cross-Space session fixation can result in full account compromise. Upgrade all Gradio deployments to 6.15.0 immediately and audit proxy request logs for Set-Cookie headers originating from unexpected domains.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk in isolated single-tenant deployments; elevated risk in shared multi-tenant environments such as HuggingFace Spaces. The shared HTTP client design flaw converts any single attacker-controlled Space into a persistent injection point for all users of the same Gradio instance — a non-obvious blast radius that significantly exceeds what the CVSS 6.8 score alone suggests. High attack complexity limits opportunistic exploitation, but motivated adversaries targeting high-traffic Spaces have a practical path to cross-user session fixation without needing any privileges. The confidentiality and integrity impact scores are both High, making successful exploitation severe despite the narrow exploitation window.

Attack Kill Chain

Malicious Space Setup

Attacker creates or compromises a HuggingFace Space and configures the backend to return HTTP responses containing parent-domain-scoped Set-Cookie headers.

AML.T0049

Cookie Injection via Proxy

A victim user's request is proxied through the vulnerable Gradio shared HTTP client to the attacker's Space, causing the malicious cookie to be stored in the shared client's session store.

AML.T0078

Cross-User Cookie Replay

The shared HTTP client automatically injects the attacker's stored cookie into all subsequent proxy requests made by any user to other legitimate Spaces on the same deployment.

AML.T0091.000

Session Fixation and Takeover

Attacker's cookie is presented to legitimate target Spaces as the victim's session credential, enabling cross-Space session fixation and potential full account compromise for all affected users.

Malicious Space Setup

Attacker creates or compromises a HuggingFace Space and configures the backend to return HTTP responses containing parent-domain-scoped Set-Cookie headers.

AML.T0049

Cookie Injection via Proxy

A victim user's request is proxied through the vulnerable Gradio shared HTTP client to the attacker's Space, causing the malicious cookie to be stored in the shared client's session store.

AML.T0078

Cross-User Cookie Replay

The shared HTTP client automatically injects the attacker's stored cookie into all subsequent proxy requests made by any user to other legitimate Spaces on the same deployment.

AML.T0091.000

Session Fixation and Takeover

Attacker's cookie is presented to legitimate target Spaces as the victim's session credential, enabling cross-Space session fixation and potential full account compromise for all affected users.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.7K OpenSSF 5.6 683 dependents Pushed 3d ago 26% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

6.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Upgrade Gradio to 6.15.0 immediately — this is the only complete remediation (see commit feb7237 and release tag gradio@6.15.0).
If immediate upgrade is not possible, restrict or disable the reverse proxy endpoint at the network or WAF layer to prevent cookie injection vectors.
Enforce cookie SameSite=Strict and Secure attributes on session cookies in applications proxied through Gradio to reduce replayed-cookie impact.
Review proxy request logs for Set-Cookie headers whose domain scope exceeds the originating Space's domain — anomalous parent-domain cookies are the key indicator.
For HuggingFace Spaces operators, prioritize upgrade of high-traffic shared deployments where cross-user blast radius is greatest.

Classification

Auth Bypass Privacy Violation Data Leakage Inference Framework AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - Information security in AI systems

NIST AI RMF

MANAGE 2.2 - Risk treatment for identified AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-48545?

Gradio before 6.15.0 uses a single module-level HTTP client shared across all users in its reverse proxy endpoint — meaning any attacker who controls a HuggingFace Space can return a parent-domain Set-Cookie header that gets stored in that shared client and silently replayed into every subsequent proxy request to other legitimate Spaces, affecting all users of the same deployment. The attack is most dangerous in multi-tenant environments like HuggingFace Spaces, where a single poisoned Space can corrupt the session state of unrelated users accessing entirely different applications. There is no public exploit, no KEV listing, and no EPSS data, but the C:H/I:H CVSS impact scores mean a successful cross-Space session fixation can result in full account compromise. Upgrade all Gradio deployments to 6.15.0 immediately and audit proxy request logs for Set-Cookie headers originating from unexpected domains.

Is CVE-2026-48545 actively exploited?

No confirmed active exploitation of CVE-2026-48545 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48545?

1. Upgrade Gradio to 6.15.0 immediately — this is the only complete remediation (see commit feb7237 and release tag gradio@6.15.0). 2. If immediate upgrade is not possible, restrict or disable the reverse proxy endpoint at the network or WAF layer to prevent cookie injection vectors. 3. Enforce cookie SameSite=Strict and Secure attributes on session cookies in applications proxied through Gradio to reduce replayed-cookie impact. 4. Review proxy request logs for Set-Cookie headers whose domain scope exceeds the originating Space's domain — anomalous parent-domain cookies are the key indicator. 5. For HuggingFace Spaces operators, prioritize upgrade of high-traffic shared deployments where cross-user blast radius is greatest.

What systems are affected by CVE-2026-48545?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving UIs, shared Gradio deployments, HuggingFace Spaces multi-tenant environments.

What is the CVSS score for CVE-2026-48545?

CVE-2026-48545 has a CVSS v3.1 base score of 6.8 (MEDIUM).

AI Security Impact

Affected AI Architectures

ML demo platformsmodel serving UIsshared Gradio deploymentsHuggingFace Spaces multi-tenant environments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0078 Drive-by Compromise

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

Technical Details

Original Advisory

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

Exploitation Scenario

An adversary creates a HuggingFace Space running a vulnerable Gradio version and configures the Space backend to return HTTP responses containing a Set-Cookie header scoped to the parent domain (e.g., huggingface.co). When any user's browser triggers a proxy request through the shared Gradio HTTP client — even to a completely unrelated legitimate Space — the shared client stores the attacker's injected cookie. From that point forward, the shared client automatically includes the attacker's cookie in all proxy requests made on behalf of other users to legitimate Spaces. The attacker's cookie is presented to target Spaces as if it were the user's own session credential, enabling cross-Space session fixation; if the target Space accepts the cookie for authentication, the adversary achieves full session takeover without ever interacting with the victim directly.