CVE-2026-6608: Gradio control flow flaw corrupts

Q: Is CVE-2026-6608 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-6608, increasing the risk of exploitation.

Q: How to fix CVE-2026-6608?

1. Upgrade fschat only after confirming the new release applies the fix from commit 34eca62 to all four arena handler files — not just gradio_block_arena_named.py. 2. If running a version that claims to include the partial fix, manually inspect the other three arena handler files for the same control flow defect. 3. Immediately restrict network access to arena comparison endpoints via reverse proxy authentication or firewall rules — arena views should not be publicly reachable. 4. Monitor GitHub issue #3834 and GHSA-f3q6-69f3-vwch for complete patch confirmation before treating the issue as resolved. 5. Review arena session logs for anomalous or malformed payloads targeting the add_text endpoint as indicators of exploitation attempts. 6. Consider replacing fschat with an alternative evaluation framework given the package's history of 52 CVEs and 5.5/10 OpenSSF security posture.

Q: What systems are affected by CVE-2026-6608?

This vulnerability affects the following AI/ML architecture patterns: LLM evaluation platforms, Model comparison infrastructure, Internal ML benchmarking pipelines.

Q: What is the CVSS score for CVE-2026-6608?

CVE-2026-6608 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.31%.

CISO Take

FastChat's Arena Side-by-Side View has an incorrect control flow vulnerability (CWE-670) in the add_text handler that allows unauthenticated remote attackers to manipulate the integrity of LLM head-to-head comparisons with no privileges or user interaction required. Critically, the developer's own patch only fixed one of four affected files in commit 34eca62, meaning all fschat deployments up to 0.2.36 remain partially or fully exploitable even if teams believe they are patched. Although raw EPSS probability is low (0.045%), this CVE ranks in the top 86th percentile for exploitation likelihood, has a public proof-of-concept gist, and affects a package carrying 679 downstream dependents, a 5.5/10 OpenSSF score, and a history of 52 CVEs — clear signals of systemic security debt. Teams using FastChat for model evaluation or LLM procurement benchmarking should upgrade immediately, verify all four arena handler files contain the fix, and restrict arena endpoints to authenticated internal access only until a complete patch is confirmed.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk with elevated operational concern for AI evaluation teams. The attack is trivially executable — network-accessible, no authentication, no user interaction, low complexity — but impact is constrained to partial integrity (CVSS I:L) with no confidentiality or availability exposure. The incomplete patch response is the most concerning factor: applying an update without verifying all four affected files leaves a false sense of remediation. The 80/100 package risk score and 52 historical CVEs indicate this package has a pattern of unresolved security debt. Primary risk materializes when arena comparison data informs model selection, procurement, or governance decisions, where silent manipulation of benchmark results could influence high-value organizational choices without triggering any security alerts.

How does the attack unfold?

Target Discovery

Adversary scans for publicly accessible FastChat instances with the Arena Side-by-Side view enabled, leveraging Shodan or similar tools to identify exposed Gradio-based interfaces.

AML.T0006

Exploit Control Flow

Adversary sends crafted payloads to one of the three unpatched arena handler files via the add_text endpoint, triggering the CWE-670 incorrect control flow to manipulate comparison processing logic.

AML.T0049

Evaluation Manipulation

Malformed inputs cause arena battle responses to be misattributed between models or processed out of sequence, skewing head-to-head comparison scores without triggering visible errors.

AML.T0031

Impact: Integrity Loss

Corrupted arena rankings silently influence model selection or procurement decisions, potentially causing deployment of an inferior or attacker-favored LLM into production environments.

AML.T0048.001

Target Discovery

Adversary scans for publicly accessible FastChat instances with the Arena Side-by-Side view enabled, leveraging Shodan or similar tools to identify exposed Gradio-based interfaces.

AML.T0006

Exploit Control Flow

Adversary sends crafted payloads to one of the three unpatched arena handler files via the add_text endpoint, triggering the CWE-670 incorrect control flow to manipulate comparison processing logic.

AML.T0049

Evaluation Manipulation

Malformed inputs cause arena battle responses to be misattributed between models or processed out of sequence, skewing head-to-head comparison scores without triggering visible errors.

AML.T0031

Impact: Integrity Loss

Corrupted arena rankings silently influence model selection or procurement decisions, potentially causing deployment of an inferior or attacker-favored LLM into production environments.

AML.T0048.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	<= 0.2.36	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Upgrade fschat only after confirming the new release applies the fix from commit 34eca62 to all four arena handler files — not just gradio_block_arena_named.py.
If running a version that claims to include the partial fix, manually inspect the other three arena handler files for the same control flow defect.
Immediately restrict network access to arena comparison endpoints via reverse proxy authentication or firewall rules — arena views should not be publicly reachable.
Monitor GitHub issue #3834 and GHSA-f3q6-69f3-vwch for complete patch confirmation before treating the issue as resolved.
Review arena session logs for anomalous or malformed payloads targeting the add_text endpoint as indicators of exploitation attempts.
Consider replacing fschat with an alternative evaluation framework given the package's history of 52 CVEs and 5.5/10 OpenSSF security posture.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Adversarial Examples Supply Chain Framework API AML.T0010.001 - AI Software AML.T0031 - Erode AI Model Integrity AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

MANAGE 2.4 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-6608?

FastChat's Arena Side-by-Side View has an incorrect control flow vulnerability (CWE-670) in the add_text handler that allows unauthenticated remote attackers to manipulate the integrity of LLM head-to-head comparisons with no privileges or user interaction required. Critically, the developer's own patch only fixed one of four affected files in commit 34eca62, meaning all fschat deployments up to 0.2.36 remain partially or fully exploitable even if teams believe they are patched. Although raw EPSS probability is low (0.045%), this CVE ranks in the top 86th percentile for exploitation likelihood, has a public proof-of-concept gist, and affects a package carrying 679 downstream dependents, a 5.5/10 OpenSSF score, and a history of 52 CVEs — clear signals of systemic security debt. Teams using FastChat for model evaluation or LLM procurement benchmarking should upgrade immediately, verify all four arena handler files contain the fix, and restrict arena endpoints to authenticated internal access only until a complete patch is confirmed.

Is CVE-2026-6608 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-6608, increasing the risk of exploitation.

How to fix CVE-2026-6608?

1. Upgrade fschat only after confirming the new release applies the fix from commit 34eca62 to all four arena handler files — not just gradio_block_arena_named.py. 2. If running a version that claims to include the partial fix, manually inspect the other three arena handler files for the same control flow defect. 3. Immediately restrict network access to arena comparison endpoints via reverse proxy authentication or firewall rules — arena views should not be publicly reachable. 4. Monitor GitHub issue #3834 and GHSA-f3q6-69f3-vwch for complete patch confirmation before treating the issue as resolved. 5. Review arena session logs for anomalous or malformed payloads targeting the add_text endpoint as indicators of exploitation attempts. 6. Consider replacing fschat with an alternative evaluation framework given the package's history of 52 CVEs and 5.5/10 OpenSSF security posture.

What systems are affected by CVE-2026-6608?

This vulnerability affects the following AI/ML architecture patterns: LLM evaluation platforms, Model comparison infrastructure, Internal ML benchmarking pipelines.

What is the CVSS score for CVE-2026-6608?

CVE-2026-6608 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

LLM evaluation platformsModel comparison infrastructureInternal ML benchmarking pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0031 Erode AI Model Integrity

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 9.1

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was fixed in commit 34eca62 for gradio_block_arena_named.py, but three other files were missed.

Exploitation Scenario

An adversary identifies a publicly accessible FastChat instance used by an enterprise security team benchmarking LLM vendors for a production deployment decision. Using the public exploit gist as a reference, they craft HTTP requests to the arena's add_text endpoint targeting one of the three unpatched handler files — bypassing any partial mitigation the operator believed was in place. The incorrect control flow causes the arena to misattribute model responses between the two competitors or process prompts out of intended sequence, subtly skewing head-to-head battle scores. Over multiple sessions, the manipulated results quietly elevate a weaker or attacker-favored model in the internal rankings. The security team, unaware of the manipulation, recommends that model for production deployment based on what appears to be objective benchmark data.

Weaknesses (CWE)

CWE-670 Always-Incorrect Control Flow Implementation Primary CWE-670 Always-Incorrect Control Flow Implementation Primary

CWE-670 — Always-Incorrect Control Flow Implementation: The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Source: MITRE CWE corpus.